Codementor Events

Secure Coding: How to Prevent Vulnerabilities from Creeping into Your Software

Published Aug 07, 2019
Secure Coding: How to Prevent Vulnerabilities from Creeping into Your Software

Image by Darwin Laganzon from Pixabay

No software is 100% secure, no matter how much you might like it to be. Even the best developers are unable to account for all security vulnerabilities and once an application is deployed factors of environment and use further complicate security. However, that doesn’t mean that you should abandon trying to develop secure software nor does it mean that there is nothing you can do to improve your application’s security.

How Do Vulnerabilities Get into Software?

Vulnerabilities find their way into software in three main ways:

1. Insecure Coding Practices
Traditionally, software development doesn’t include security concerns or testing until the very end of the cycle, meaning that code is often produced to be functional but not necessarily secure. Often, the amount of time needed to retroactively make code secure, in combination with tight deadlines, means that security vulnerabilities are more likely to be ignored or insufficiently corrected. As development teams take on an agile methodology and the speed of development and deployment increases, this problem can be compounded.

2. Inclusion of Flawed Components
Most applications make use of open-source code or libraries, many of which have vulnerabilities. Although a number of these vulnerabilities are known, and resources exist explaining how to correct them, developers aren’t always aware of this information or versions might be used inconsistently.

If only snippets of code are used or libraries are used in a “black-box” fashion, it is difficult to know whether or not they are vulnerable without analyzing them directly. Third-party integrations and deployment environments can also introduce unforeseen risks or create conflicts that can be exploited.

3. Language-Specific Vulnerabilities
Each language has unique vulnerabilities, which a developer less experienced in the language might not be aware of. For example, low-level languages like Assembly, C, or C++ are vulnerable to buffer overflow which hackers can exploit to write malicious code to adjacent memory once buffer capacity is full. Another common vulnerability, found in languages like SQL, JavaScript, and PHP, is code injection, where hackers exploit flaws in data processing that cause user input to be interpreted as system commands or include malicious script in uploaded files.

Even if an issue is not present when code is deployed, cyber criminals are constantly innovating new ways to infiltrate systems and software and can discover vulnerabilities that were previously unknown or not possible to exploit.

What Is Secure Coding?

Secure coding is the practice of developing software that inherently protects from vulnerabilities, as opposed to only being protected externally. It relies on a developer knowing the vulnerabilities that come with the languages, frameworks, and libraries they choose to use and acting accordingly.

Secure coding requires the developer to consider the full environment in which an application will be run and takes care to ensure that vulnerabilities discovered in the future can be patched as quickly as possible.

Secure Coding: Best Practices

It may not be possible to eliminate all software vulnerabilities but these best practices can help you ensure your applications are more secure from the start.

Shifted-Left Security
One of the first and most beneficial practices to be taken is the shifting-left of security, typically done through DevSec or DevSecOps methodologies. Emphasizing security early on in the SDLC means that flaws are less likely to be ignored due to unforgiving time schedules and that they are discovered earlier, requiring less work to correct.

When security is part of the development process, DevSec teams can assess the risks of library dependencies and open-source code before they are included and it is easier to ensure that versioning is consistent.

Use of information tools like the OWASP Top 10 list can provide education and guidance on vulnerability management. In combination with automation tools like Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST), developers can better identify flaws and learn in real-time how to correct them.

Validation of Inputs and Encoding of Outputs
You should validate all user input based on syntax and semantic criteria, and queries should be parameterized or otherwise clearly identified as user input. Whitelisting is the recommended validation method and can be accomplished through comparison to regular expressions.

You should encode outputs through entities such as JavaScript hex or HTML to eliminate potentially harmful characters and nullify scripting commands.

Use server-side validation and encoding to ensure coverage of all components, including user devices and back-end web services. When used in combination, these practices can protect against Cross-Site Scripting (XSS) and code injection attacks.

Authentication and Session Management
You need to include session management and identity management controls on the server-side to minimize the risk that a user session is hijacked or that credentials are illegitimately used. Multi-factor authentication provides greater security, especially when combined with secure password storage and recovery mechanisms.

Implementation of conservative timeout and inactivity periods can help you reduce the risk that user sessions are exploited and ensure that user data is kept secure with minimum impact on customer experience. Limiting the number of concurrent sessions will help ensure that only legitimate users can access an application or site.

Proper Encryption Techniques
Use of encryption tools developed by cryptography experts, such as the peer-reviewed Google KeyCzar or Bouncy Castle, is more secure and faster than trying to develop solutions on your own. Regardless of which encryption protocols you use, it is important not to neglect the use of architecture design methods like tiering or strict trust policies.

Inappropriate key management can negate even the strongest cryptography so you should make sure to store keys separately from encrypted data and consider the use of a Hardware Security Module (HSM).

End-to-end encryption of transferred data will provide the greatest security. If this is not possible, be sure to encrypt data both at-rest and in-transit to minimize the risk of data loss or modification.

Wrap Up

Customers are increasingly demanding secure products and developers are doing their best to provide them. This is a trend that is unlikely to change anytime soon, and so will continue to determine which applications, and their associated companies, survive.

By implementing these best practices and adapting to the ever-changing security environment you can ensure that your products are as secure as possible and in doing so, reduce the amount of work you need to perform post-deployment to maintain a secure product. Products that customers can trust from the start will help boost your brand reputation as a trustworthy source of software and help build your competitive edge.

Discover and read more posts from Eddie Segal
get started