Secure Coding Practices, Part 9: Performance

by Steven McElwee, CISSP

One of the security professional's concerns is the availability of systems. Although this may seem like the sole responsibility of the IT operations department, security assesses the risk to the availability of critical information assets. This is because attackers may not care about retrieving information or gaining access to your systems. They may simply want to attack your system to make it unavailable for normal use.

The most common term for this type of attack is Denial of Service (DoS). A DoS attack may be intentional or be caused by misconfiguration of another system. As a result, applications must be able to perform well under stressful operation.

Performance factors vary widely depending on the server, operating system, third party software, and software languages.

When reviewing source code, ask these questions to help uncover potential performance problems:

• Is the application thread-safe?
• Are variables encapsulated to limit their scope and prevent sharing between processes?
• Are efficient algorithms used?
• Are database transactions clearly defined and not subject to deadlocks?
• Are database tables indexed appropriately?
• Are file handles and connections to external systems explicitly closed?
• Are all variables that are initialized actually used?
  

It is better to find potential performance problems before there is a production outage, so that you can look at the source code thoroughly and objectively.