Secure coding

Basics of secure coding

Srinivas
September 9, 2020 by
Srinivas

This article provides an overview of secure coding and how it is useful to prevent security vulnerabilities in applications. We will also discuss the benefits of secure coding to understand the value it adds to an organization when used effectively and we will wrap this article by discussing some examples of secure and insecure source code.

Learn Secure Coding Fundamentals

Learn Secure Coding Fundamentals

Build your secure coding skills as you progress through 14 courses focused on discovering, exploiting and mitigating common coding vulnerabilities.

What is secure coding?

Secure coding is the practice of writing code securely so that the final product is protected from security vulnerabilities. While this sounds simple, it is not in reality due to various factors such as Developers knowledge on secure coding, their understanding of risk and the time available before production releases. It is also important to note that secure coding is a practice that any software should go through regardless of what it is built for. It can be Web, Mobile, embedded devices, client software and the list goes on. 

Why is secure coding important? 

Secure coding helps to protect the software from security vulnerabilities that can be exploited. The end goal of software security is to maintain the confidentiality, integrity, and availability of information resources in order to enable successful business operations and secure coding during software development plays a major role in accomplishing this.

Specifically in web applications, following are various risks that are possible due to missing secure coding practices:

  • Remote Command Execution
  • SQL Injection
  • Cross Site Scripting
  • Deserialization Attacks
  • XML Injection attacks

This is not  a complete list of vulnerabilities, but it is of some of the most commonly seen ones. There are several reasons such as Lack of input validation, lack of output encoding, Insecure Access Controls, Insufficient Authentication and Session Management, Insecure use of Cryptography which can lead to insecure software. While there are many insecure practices that cause these vulnerabilities, lack of input validation is one primary source of vulnerabilities in software. This can happen due to the use of insecure APIs that are inherently vulnerable or due to the programmer’s mistakes. 

Benefits of secure coding

Let us understand the benefits of secure coding. 

Secure Software: The direct outcome of secure coding is secure software. A software developed by using secure coding practices prevents attacks in future. Depending on the use of software, vulnerabilities can lead to reputational as well as financial damage.

Cost Savings: Following secure coding practices will also help organizations to save cost as it is more expensive to fix security vulnerabilities if they are found after the software is fully developed.

Because of these benefits, several organizations have embraced the Secure Software Development Life Cycle process, which includes writing secure code from the initial phases of the software development process.

Insecure and Secure source code examples

In this section of the article, let us go through a piece of code that is vulnerable to SQL Injection and let us also understand how that can be fixed.

Vulnerable source code example:

public boolean checkLogin(String username, String password) throws IOException {

boolean flag = false;

try {

statement = connection.createStatement();

String query = "SELECT * FROM users where username='"+username+"' AND password='"+password+"'";

    resultSet = statement.executeQuery(query);

    

    if(resultSet.next()) {

    flag = true;

    }

} catch (SQLException e) {

// TODO Auto-generated catch block

e.printStackTrace();

StringWriter stringWriter = new StringWriter();

            PrintWriter printWriter = new PrintWriter(stringWriter);

            e.printStackTrace(printWriter);

            ServletResponse response = null;

            response.setContentType("text/plain");

            response.getOutputStream().print(stringWriter.toString());     

            

}

      

return flag;

}

If you observe the piece of code highlighted in the preceding excerpt, the application takes user input and concatenates it to the existing SQL query to form the final query. If you notice, there is no sanitization performed on the user input before executing the query thus leaving the application at serious risk. This piece of code is lacking fundamental input validation leading to SQL Injection. To prevent this problem, we must sanitize the user input received from the user before compiling the SQL Query. Parameterized Queries can be used to achieve this, which is shown in the following source code example.

Secure source code example:

public boolean checkLogin(String username, String password) {

boolean flag = false;

try {

String query = "SELECT * FROM users where username=? AND password=?";

preparedstatement = connection.prepareStatement(query);

preparedstatement.setString(1,username);

preparedstatement.setString(2,password);

resultSet = preparedstatement.executeQuery();

    

    if(resultSet.next()) {

    flag = true;

    }

} catch (SQLException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

      

return flag;

}

Notice the code highlighted in the preceding excerpt. This time, we are defining the SQL code that is to be executed with placeholders (?,?) for parameter values, programmatically adding the parameter values using preparedstatement.setString(), and then executing the query. 

If you observe preparedstatement.setString() function arguments, we are casting the input values to string. This will prevent any injected SQL from being executed, as we are properly casting the input to the right data type.

As you might have noticed in these examples, a simple developer mistake can lead to serious software security vulnerabilities. Fixing these vulnerabilities is not hard when we have access to source code but, clearly the developers must be aware of the security concepts when writing code to prevent such vulnerabilities in software.

Conclusion

It is apparent that Secure Coding should be an integral part of the software development process and organizations must embrace the practice of writing secure code from the beginning. Developers should also be aware of secure coding practices and risks an insecure software can pose to the organization.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

Sources

  • OWASP Secure Coding Practices Quick Reference Guide - https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
  • OWASP Top 10 - https://owasp.org/www-project-top-ten/
  • CERT Top 10 Secure Coding Practices - https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices?focusedCommentId=88044413
Srinivas
Srinivas

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com