M7: Poor Code Quality

Overview

This article discusses the concept of poor code quality and its impact on the security of a website. It covers the various threat agents, attack vectors, security weaknesses, technical impacts, and business impacts associated with poor code quality. The article also provides information on how to prevent poor code quality and includes an example attack scenario. Overall, it highlights the importance of maintaining good code quality practices to mitigate security risks.

Description

Poor code quality refers to implementation problems in the mobile client that can lead to security vulnerabilities. This includes issues like buffer overflows, format string vulnerabilities, and other code-level mistakes. The risk comes from using the wrong API, using an API insecurely, using insecure language constructs, or other code-level issues. Maintaining consistent coding patterns, writing well-documented code, validating buffer lengths, using third-party static analysis tools, and prioritizing the resolution of buffer overflows and memory leaks are some ways to prevent poor code quality.

How to Prevent ?

To prevent poor code quality, it is important to follow these practices: Maintain consistent coding patterns that everyone in the organization agrees upon. Write code that is easy to read and well-documented. When using buffers, always validate the lengths of any incoming buffer data. Use third-party static analysis tools to identify buffer overflows and memory leaks. Prioritize solving buffer overflows and memory leaks over other code quality issues.

Example Attack Scenarios:

• Buffer Overflow example:  In this example, a buffer overflow vulnerability is demonstrated using the 'gets' function. By reading more data than the buffer can hold, an attacker can overwrite adjacent memory and potentially execute malicious code. This is a common code quality issue that can be exploited to gain unauthorized access or cause a denial of service.