Introduction: Cybersecurity is not an on/off switch

Security is holistic. You’ll no doubt have heard that a lot if you work in the industry, especially over the last few years. It’s true, too. Cybersecurity is not an on/off switch. If you create a digital application, platform or service, it is a process that begins when software is created.

Research findings such as that from the U.S. Department of Homeland Security (DHS) back this up. They found that 90 percent of cyber-attacks were as a result of exploited vulnerabilities in source code. (1)

More often than not, software developers use code libraries to help with the creation of an application. This discipline can also be used in secure coding.

Starting to code securely

If you want to develop secure applications, security must be considered from the start and throughout the development and deployment cycle. Before thinking about coding, therefore, it is important to first learn about the major pitfalls in the code’s environment. For example, a cloud backend for a mobile app will have different security coding considerations when compared to the app itself.

Secure coding libraries or frameworks are not common; some are simply documentation-based, which, in reality, cannot be enforced. Others are more interactive or provide code samples or secure libraries and functions.

In general, code frameworks and libraries tend to be focused either on Web applications or encryption. Language coverage for either is also variable. However, even if your chosen language is not supported it can often be instructive to see how it’s done in another language.

Libraries and frameworks to help develop secure code

Here are some of the better-known frameworks and libraries available to help you ensure your code is securely generated:

  • Frameworks for Web applications are commonly based on OWASP recommendations for secure coding practice. The OWASP Security Knowledge Framework (SKF) is freely available and supports several languages including Java, PHP, GO, etc.
    • Focusing on prevention of common vulnerabilities, such as CSRF, XSS, SQL Injection and so on. Also provides examples of best practice for common operations such as password storage, audit logs, file upload, etc.
    • Additionally, it provides checklists of the requirements needed to attain specific security verification levels, for use during both design and implementation stages
  • Overall, the Security Knowledge Framework is an excellent framework for Web applications and should be the first stop for any web application developer.
  • If you are an Enterprise developer, look at the Spring Security Framework. This framework provides common functionality for authentication and authorization
  • Most of the Web-oriented programming languages have general purpose frameworks available that include built-in security functionality. However, because of the complexity of many of these frameworks, security vulnerabilities are common; their use should be approached with caution. Keeping such frameworks up to date and checking regularly for vulnerability reports is of paramount importance
  • For programmers working with lower level languages such as C, perhaps the most common source of serious vulnerabilities results from buffer overflow attacks. The use of safe memory allocation and string manipulation libraries and functions can play a major role in reducing these flaws. It needs to be noted that these are not cure-alls, and verification of the expected size of input data is often paramount in securing a system against this form of attack
    • An example where this was not done led to the infamous Heartbleed fault in OpenSSL. A document framework that covers security for C developers is set out in the SEI CERT Coding Standard
  • Verified libraries for encryption are always better than attempting to write your own versions of common encryption algorithms. These libraries are readily available for all common languages and come with test vectors to verify operation. Again, it must be stressed that simply using a verified version of an encryption algorithm will not actually prevent your application from being vulnerable: you have to be sure the algorithm is being applied appropriately
  • Some IDEs provide useful framework tools to help developers follow secure coding standards. For example, JetBrains’ IntelliJ IDEA for Java supports Framework for Secure Coding, a plug-in that detects violations to security standards in real-time using SEI CERT Secure Coding Rules. Such tools give very valuable immediate feedback to the developer, highlighting potential security violations and helping to ensure code conforms to security standards

Check framework and libraries for vulnerabilities

Having written your code to a secure standard, your hard work may still be undone if you are using additional libraries or frameworks that include vulnerabilities. All third-party libraries should be examined for vulnerabilities. In addition, you should take the time to understand functions and classes that you use and check yourself that these work in the way you expect.

As an example, consider a server-side framework you might use to retrieve some data from, say, a database, to be displayed in a webpage. Does the framework sanitize the data to prevent XSS attacks, or will you be responsible for that process?

As coders are human, errors can creep in, and security coding blunders are no exception. This is why it is good security practice to use a source code validation tool or service (e.g., CheckMarx) throughout the development and production life cycle to make a final check for vulnerabilities.

Code securely, secure holistically

Remember that your code is only part of an overall system, and the overall security depends on the other system components and how your code interacts with them. A good overview of the entire system and your code’s interactions with it will help prevent major security vulnerabilities. For example, does your app send over internal or external networks to other components? If so, should you be ensuring that these data are protected by encryption and/or digital signatures prior to transport?

When you build a discipline of secure coding, try to utilize the help offered in the form of frameworks within the body of standards. In doing so, you can make your life easier and get better, safer code at the end.

Thanks to Dr. Steve Hitchen for his advice as an advocate of secure coding best practices on writing this piece

Sources

  1. How Do Vulnerabilities Get Into Software?, Veracode
  2. SEI CERT Coding Standards, Carnegie Mellon University
  3. Security Knowledge Framework, OWASP
  4. IntelliJ IDEA, JetBrains