Getting your secure coding practices in order

Coding is at the heart of technology. It’s what built billion-dollar businesses and helped humans land a rocket on the moon. But it isn’t only about programming. It’s sometimes about how it’s coded as well. This is vital, particularly for security. Incorrect coding practices could lead to serious security flaws in systems.

Take OWASP’s list of top vulnerabilities for 2017. Vulnerabilities like injection and broken authentication are elements that can be looked at the initial stage of development. Following proper security coding practices would save the trouble of compromised systems. OWASP’s own Software Assurance Maturity Model (SAMM) is a good starting point.

OWASP SAMM

Strategy and Metrics: Focuses on establishing the framework within an organization for a software security assurance program.

Policy and Compliance: Aimed at understanding and meeting external legal and regulatory requirements while also driving internal security standards to ensure compliance in a way that’s aligned with the business purpose of the organization.

Education and Guidance: Providing secure software development lifecycle training, specific to each role.

Threat Assessment: This Involved identification and understanding of the risks on a project-level basis. This is based on the functionality of the software under development and characteristics of the runtime environment.

Security Requirements: Specification of necessary security controls, including within supplier agreements. These controls should be subject to audit.

Secure Architecture: Refers to adopting software development frameworks, identifying secure design patterns and embedding secure-by-default methodologies.

Design Review: In a sophisticated form, the provision of this practice involves detailed, data-level inspection of designs, and enforcement of baseline expectations for conducting design assessments and reviewing findings before releases are accepted.

Implementation: Inspection of software at the source code and configuration level to find security vulnerabilities.

Security Testing: This includes human penetration testing and automate application-specific testing throughout the development process and, significantly, before deployment.

Issue Management: Issue Management is all about creating a vulnerability response team, implementing a bug reporting process, conducting root cause analysis and collecting per-issue metrics.

Environment Hardening: Focuses on building assurance for the runtime environment that hosts the organization’s software. Basically, check configurations, install critical upgrades and patches, and deploy network protection tools.

Operational Enablement: Aimed at gathering security-critical information from the project teams building software and communicating it to the users and operators of the software.

Security at the design phase

One of the ways of mitigating any vulnerability is to address them at the design stage. Implementing defined security policies within architecture is a good start. Furthermore, implementing a source code analysis at every stage of the Software Development Lifecycle would allow faster patching of vulnerabilities.

Apart from the actual coding itself, it’s equally important to have reliable resources. The OWASP Secure Coding Practices – Quick Reference Guide is a good place to start.

Threat modeling

A threat model represents all relevant information that affects the security of an application. It refers to a set of activities that aim to improve security. This is achieved by identifying objectives and vulnerabilities, followed by defining countermeasures. In general, a threat modeling process includes the following steps,

1.      Assessment scope

2.      Identify threat agents and possible attacks

3.      Understand existing countermeasures

4.      Identify exploitable vulnerabilities

5.      Prioritize identified risks

6.      Identify countermeasures to reduce the threat

Defining appropriate access levels

Ideally, this needs to be followed at the planning stage of a product/service. Access levels should be appropriately defined to ensure the system isn’t compromised at any given point. What this means is that users should only have the least amount of privilege necessary for them to execute their tasks.

On a related note, this is also where consideration needs to be given to the login functionality. For instance, most applications today offer first-time users a default password during the login stage. Here, the default passwords offered could be made to be more complex and valid for a short period of time. This reduces the risk of an attacker getting through to the system.

Application whitelisting

Application whitelisting is the process of specifying a list of approved applications that can run on a system. The idea is to allow the necessary programs as opposed to blacklisting malicious applications.

There’s always the risk of attackers replacing whitelisted applications with malicious ones. Therefore, it is always advisable for application whitelisting software to use cryptographic hashing techniques along with digital signatures linked to the software developers.

Source code analysis

Simply put, this refers to the automated testing of the source code. The focus is to debug an application. Source code analysis is either static or dynamic. Static analysis is where debugging is done by examining the code without having to run it. This essentially has a better chance of discovering vulnerabilities during development, before the application is released. After static analysis, dynamic analysis is performed. This involves real-time application testing.

One of the biggest advantages of source code analysis is that this eliminates the need for making assumptions about possible vulnerabilities.

Sanitise data

Sanitisation refers to keeping something clean from anything harmful. This means the same in technology as well. Take HTML for example. HTML sanitization involves examining an HTML document and producing a new HTML document that preserves only whatever tags are designated “safe” and desired. Here, HTML sanitization helps mitigate attacks such as cross-site scripting.

Of course, data sanitization takes many forms. It can be simply ensuring maximum data field lengths are maintained to avoid buffer overflow attacks. It can be parameterizing queries to protect against SQL injection attacks.

Data sanitization also relates to other aspects such as security checking image uploads in digital identity platforms. More and more data stores save and share photos of identifying documents. As such, proper security checks should be placed in order to ensure uploaded content includes only intended types of images instead of any executable content.

Prevent unverified code execution

One way to prevent unverified code execution is to avoid using eval() type functions. This includes functions like JavaScript’s SetTmer() function. These type of functions allows execution of unverified code.

Keeping yourself up to date

Vulnerabilities pop up every day. It’s important to keep a close eye on these vulnerabilities. CVE Details is one such resource that helps to track serious vulnerabilities. The site updates its list on a regular basis.

After all, security is a constantly evolving field. Attackers find new loopholes to crack systems every day. Whether it’s your vulnerability assessment procedures or digital forensics tools, security tools, and mechanisms also need to be up to date.

In terms of secure coding practices, there are a lot more involved in the process. We hope this rundown helped you get a better understanding of what it’s all about.

Secure Development