Software code sits at the heart of how your application works. It also is one of the keys with which cyber-attacks can happen. If your code has vulnerabilities, your entire app might be compromised. The problem with software vulnerabilities is that they open up weaknesses in code – weaknesses that cybercriminals can exploit. Preventing cybersecurity incidents starts at the very beginning with software code itself. This article looks at the practice of secure coding and why it’s a vital discipline to understand.
What is Meant by Secure Coding?
When a software developer writes software code, they need to consider many things. This includes how to express the architecture and design requirements of the application, how to keep the code optimized and efficient, and also how to make sure the code is secure. Secure code will help to prevent many cyber-attacks from happening because it removes the vulnerabilities many exploits rely on.
If your software has a security vulnerability it can be exploited. The WannaCry ransomware attack of 2017, exploited a Windows protocol vulnerability. Software vulnerabilities are rampant. A search using the National Institute of Standards and Technology (NIST) vulnerability list, shows that in the last 3-years there have been 40,569 application vulnerabilities.
When a company applies a culture of secure coding, they are working towards minimizing the vulnerabilities in their code.
How Do You Code Securely?
Coding using secure practices is well-documented. The Open Web Application Security Project (OWASP) has created a set of guidelines on how to do so. Within this guide, they offer a checklist of items that you use to make sure your code is as secure as possible. A sample of the types of things covered in the guidelines are:
- Data input validation: This covers numerous aspects of data source and data validation. For example, the length and date range of a piece of data. Data validation checks help to secure web applications from cyber-attacks.
- Authentication and password management: Coding also involves software architecture. This section has many advisories which sit at the cross-section of coding and architecture.
- Cryptographic Practices: The guide suggests that any cryptographic modules used, be FIPS 140-2 or an equivalent standard compliant.
- Error Handling and Logging: This is a crucial area and one that if not coded securely can leak data.
- Data Protection: The guidelines for the protection of data include advice on storing passwords securely and how to avoid data leaks via HTTP GET.
- Communication Security: Advisories on how to protect data during transit, for example, using TLS connections.
When a software architect sets out the architectural design of an application and the programmer creates code based on those dictates, they should use the OWASP guidelines as their secure coding crib sheet.
Secure coding does not stop at the programming stage. Other areas that need to be part of a holistic approach to creating secure code include:
- A system based on ‘least privilege’: Keeping access to any code on a need to know basis will help prevent any malicious execution of insecure code. This can be particularly tricky when using outsourced developers or development companies.
- Defense in depth: Keep on layering defensive strategies as the code gets promoted through to production. Make sure your runtime environments are as secure as your code.
- Practice good quality assurance: Use various assurance programs such as code reviews and PEN testing to ensure quality.
Resources for Successful Secure Coding
Keeping your development team trained and in touch with the latest secure coding techniques is crucial in secure coding. You can’t expect programmers to know how to securely code, they need to be trained and aware. Below are some useful resources to help you and your team on a path to creating secure code.
- OWASP – We’ve already mentioned OWASP’s Secure Coding Practices. The OWASP Developer Guide is also a useful foundation stone for secure coding. Also, check out their tool that looks for dependencies and publicly disclosed vulnerabilities that might impact your project.
- Microsoft’s bible on secure coding: https://msdn.microsoft.com/en-us/aa570401
- Books are always useful to dip into when learning about secure coding techniques. Some examples include: “24 Deadly Sins of Software Security” and “Secure Coding: Principles and Practices”
- Check out the ‘secure coding framework’, again an OWASP initiative. There are organizations who will help train your staff in secure coding techniques based on this framework.
- Secure coding standards, e.g. SEI CERT which is overseen by Carnegie Mellon University, offers support and guidance in secure coding for a variety of programming languages:
- Code checking firms can be used to review your code. Firms such as CheckMarx and CAST Software will use specialist analysis tools to look for vulnerabilities and access software quality.
- Understand how to apply the Software Development Life Cycle (SDLC) to secure coding. Using an SDLC-approach, will help you to ensure that security filters through all parts of the development lifecycle.
- Secure coding tutorials from RedHat
Secure Code for a Competitive Edge
Security starts with your code and creating secure code is a vital part of creating a great software product. Insecure coding practices not only leave your customers at risk, but they will impact the reputation of your company. Applying the tenets of the OWASP secure coding guidelines is a good place to start. Producing demonstrable secure software can not only allow you to prevent cyber-attacks but give your organization a competitive edge.