CySA+ domain #15: Implementing security best practices in the software development life cycle
Insecure software: a never-ending saga that has increased concerns and business risks for organizations, especially in such critical industries as e-banking and e-commerce. As a result, software security has become extremely important to avoid big losses and reputational damage to enterprises.
Threat actors exploit software vulnerabilities and infiltrate corporate networks to steal sensitive information, manipulate data, and cause SQL injection or Denial of Service (DoS) attacks. According to Akamai, a U.S.-based cloud service provider, SQL injection and Local File Inclusion attacks accounted for 85% among attack vectors. SQL injection attacks comprised over 65% of web-based attack vectors from November 2017 to March 2019.
From state or governmental agencies to local businesses, everyone is bearing the burden of software attacks. In its report, Akamai noted that “The United States maintains an unhealthy lead as the biggest source of SQL injection attacks, but Russia, the Netherlands, and China all show significant amounts of alerts originating from their countries.”
Implementing a proper and secure Software Development Life Cycle (SDLC) is now more vital than ever. Developers need to integrate security into different phases of SDLC to securely develop software applications, especially the critical ones such as electronic voting systems and e-banking systems. Doing so will reduce security issues and beef up the overall security of each phase of the SDLC.
In this article, we will examine the best practices needed during the software development and secure coding. These are also indispensable for taking and passing the CySA+ exam.
What is SDLC?
The Software Development Life Cycle (SDLC) is a process used to describe tasks carried out at each stage in the software development process. The SDLC model helps developers to design, develop, test and produce high-quality software. Once the production process completes, user training, maintenance and decommissioning are necessary at the end of the software’s useful life.
Below are the steps involved in SDLC:
The SDLC can be performed using several models that have been created to provide a framework for software development. These models include waterfall, Spiral, Agile, the V Model and the Big Bang.
Best practices during software development
As a software developer and CySA+ candidate, you must know what best practices at each stage of SDLC should be (e.g., design, coding, maintenance, testing and so on). The following sections will elaborate each practice at each stage.
Security requirements definition
Taking security into consideration in the requirement phase helps developers to tackle security problems before moving forward on the next phases. Nowadays, various approaches have been developed to help upgrade previous requirement engineering approaches, including agent-oriented, goal-oriented and UML use case-based.
Integrating security with requirement engineering needs the consideration of security requirements. The main purpose of security requirements is to develop a secure software application. The definition is adopted to consider security requirements as the constraints on the functionality of a software, concentrating on what should be achieved.
Security testing phases
Even if you have a very talented development team, flaws in the code are common and can’t be totally avoided.
Before finalizing the source code, it’s important to analyze it to figure out what it does, how it performs and what flaws occur in the application itself. These actions can be performed through static code analysis, as well as via some testing methods that include web app vulnerability scanning, fuzzing and use of an interception proxy to crawl the application.
Static code analysis
Static code analysis is a program debugging method that is conducted by examining the source code even without executing the program. In fact, static code analysis is used to identify potential vulnerabilities in the source code by utilizing techniques such as data flow analysis and taint analysis.
Web app vulnerability scanning
Web app vulnerability scanning is the process of crawling a website to find vulnerabilities within web applications. For this purpose, developers use web application scanners or web vulnerability scanning tools.
Fuzzing is a testing technique whereby software developers send random or invalid data to a program to test its ability to deal with unexpected data. If an application fails to do so, then crashes and failures occur.
Use interception proxy to crawl the application
The interception proxy is an essential tool used during web application penetration testing. Using this tool, you can scan for cross-site scripting, SQL injection and other web vulnerabilities. Some tools also allow the automatic modification of responses by creating rules that operate against certain actions, such as to request parameters and headers.
How do interception proxies work? When a user accesses data or information from a website, a web browser sends a request to the webserver and then the permission is granted in accordance with the request. Threat actors usually intercept these requests and convert them into malicious requests.
Since websites are not able to directly deal with this issue, penetration testers use interception proxy tools to intercept requests sent by the browser before they are sent to the web server. Examples of interception proxy tools include the OWASP Zed Attack Proxy (ZAP), Burp Proxy and Telerik Fiddler.
Manual peer reviews
A manual peer review is a process of randomly assigning tasks to security engineers before promoting the code. The manual review process is necessary for high-risk code that conducts security functions like session management component, login and authorization services, authentication services and encryption modules. It is the best security practice that establishes the Separation of Duties (SoD), disallows malicious code from penetrating the production area and assists engineers with mitigating or putting an end to insider threats.
User acceptance testing
User acceptance testing process is used to ensure that the application meets the requirements of the users or customers. In addition, users should also be satisfied with the functionality of the application.
Stress test application
Testing the performance of the application is vital to identify code flaws. The stress test is the process of verifying that the program will function properly in the event of high load or other stress.
Security regression testing
Security regression testing ensures that the recently-made changes don’t create new issues in the code. This test is usually performed when new updates are installed, or patches are applied to the applications.
Input validation is the act of ensuring that users do not provide unexpected data or text to a web server. It is the best security practice to stay away from SQL injection attacks.
What do I need to know about secure coding best practices?
The source code must be efficient and effective to produce desired results. To this end, some organizations such as OWASP and the Center for Internet Security recommend best practices that are elaborated below.
OWASP, or Open Web Application Security Project, is a worldwide non-profit organization that concentrates on strengthening the software security. For this purpose, they use 13 secure coding practices that are listed below:
- Input validation
- Output encoding
- Authentication and password management
- Session management
- Access control
- Cryptographic practices
- Error handling and logging
- Communication security
- System configuration
- Database security
- File management
- Memory management
- General coding practices
Center for Internet Security
The Center for Internet Security (CIS) provides substantial configuration benchmarks for database servers and web servers, as well as server and desktop operating systems. However, they do not currently offer secure coding or SDLC guidelines.
The CIS’s configuration benchmarks, in the context of CySA+ exam, occurs as a part of the deployment stage in the SDLC. Continuing security operations take place as a part of the maintenance and operations stage.
In the age of cyberwarfare, developing secure application programs has become an ever-present need.
In this article, we have studied best practices for software development and for secure coding that are published by OWASP and the Center for Internet Security (CIS). These best practices can help developers and security engineers to develop effective and secure applications that can securely perform critical functions such as e-banking and e-commerce systems. CySA+ candidates should grasp all these concepts to better prepare for CySA+ exam.
- Mike Chappel and David Seidl, “CompTIA CySA+ Study Guide: Exam CS0-001,” Wiley
- Secure SDLC 101, Synopsys
- OWASP Secure Software Development Lifecycle Project, OWASP
- SQL Injection Attacks on the Rise, As Gaming Industry Under Attack from Credential Stuffing, CBR
- Software Development Life Cycle (SDLC), Techopedia
- Hassan El-Hadary and Sherif El-Kassas, “Capturing security requirements for software systems,” Journal of Advanced Research
- State of Software Security Volume 9, Veracode
- Static analysis (static code analysis), TechTarget
- Static Code Analysis, OWASP
- Web Application Scanning, WhiteHat
- Interception proxies, Lynda
- Securing the development phase of the SDLC, Cypress Data Defense
- OWASP Secure Coding Practices Checklist, OWASP