Libraries and frameworks to help you create secure code
Introduction: Cybersecurity is not an on/off switch
Security is holistic. You’ll no doubt have heard that a lot if you work in the industry, especially over the last few years. It’s true, too. Cybersecurity is not an on/off switch. If you create a digital application, platform or service, it is a process that begins when software is created.
Research findings such as that from the U.S. Department of Homeland Security (DHS) back this up. They found that 90 percent of cyber-attacks were as a result of exploited vulnerabilities in source code. (1)
Learn Secure Coding
More often than not, software developers use code libraries to help with the creation of an application. This discipline can also be used in secure coding.
Starting to code securely
If you want to develop secure applications, security must be considered from the start and throughout the development and deployment cycle. Before thinking about coding, therefore, it is important to first learn about the major pitfalls in the code’s environment. For example, a cloud backend for a mobile app will have different security coding considerations when compared to the app itself.
Secure coding libraries or frameworks are not common; some are simply documentation-based, which, in reality, cannot be enforced. Others are more interactive or provide code samples or secure libraries and functions.
In general, code frameworks and libraries tend to be focused either on Web applications or encryption. Language coverage for either is also variable. However, even if your chosen language is not supported it can often be instructive to see how it’s done in another language.
Libraries and frameworks to help develop secure code
Here are some of the better-known frameworks and libraries available to help you ensure your code is securely generated:
- Frameworks for Web applications are commonly based on OWASP recommendations for secure coding practice. The OWASP Security Knowledge Framework (SKF) is freely available and supports several languages including Java, PHP, GO, etc.
- Focusing on prevention of common vulnerabilities, such as CSRF, XSS, SQL Injection and so on. Also provides examples of best practice for common operations such as password storage, audit logs, file upload, etc.
- Additionally, it provides checklists of the requirements needed to attain specific security verification levels, for use during both design and implementation stages
- Overall, the Security Knowledge Framework is an excellent framework for Web applications and should be the first stop for any web application developer.
- If you are an Enterprise developer, look at the Spring Security Framework. This framework provides common functionality for authentication and authorization
- Most of the Web-oriented programming languages have general purpose frameworks available that include built-in security functionality. However, because of the complexity of many of these frameworks, security vulnerabilities are common; their use should be approached with caution. Keeping such frameworks up to date and checking regularly for vulnerability reports is of paramount importance
- For programmers working with lower level languages such as C, perhaps the most common source of serious vulnerabilities results from buffer overflow attacks. The use of safe memory allocation and string manipulation libraries and functions can play a major role in reducing these flaws. It needs to be noted that these are not cure-alls, and verification of the expected size of input data is often paramount in securing a system against this form of attack
- An example where this was not done led to the infamous Heartbleed fault in OpenSSL. A document framework that covers security for C developers is set out in the SEI CERT Coding Standard
- Verified libraries for encryption are always better than attempting to write your own versions of common encryption algorithms. These libraries are readily available for all common languages and come with test vectors to verify operation. Again, it must be stressed that simply using a verified version of an encryption algorithm will not actually prevent your application from being vulnerable: you have to be sure the algorithm is being applied appropriately
- Some IDEs provide useful framework tools to help developers follow secure coding standards. For example, JetBrains’ IntelliJ IDEA for Java supports Framework for Secure Coding, a plug-in that detects violations to security standards in real-time using SEI CERT Secure Coding Rules. Such tools give very valuable immediate feedback to the developer, highlighting potential security violations and helping to ensure code conforms to security standards
Check framework and libraries for vulnerabilities
Having written your code to a secure standard, your hard work may still be undone if you are using additional libraries or frameworks that include vulnerabilities. All third-party libraries should be examined for vulnerabilities. In addition, you should take the time to understand functions and classes that you use and check yourself that these work in the way you expect.
As an example, consider a server-side framework you might use to retrieve some data from, say, a database, to be displayed in a webpage. Does the framework sanitize the data to prevent XSS attacks, or will you be responsible for that process?
As coders are human, errors can creep in, and security coding blunders are no exception. This is why it is good security practice to use a source code validation tool or service (e.g., CheckMarx) throughout the development and production life cycle to make a final check for vulnerabilities.
Code securely, secure holistically
Remember that your code is only part of an overall system, and the overall security depends on the other system components and how your code interacts with them. A good overview of the entire system and your code’s interactions with it will help prevent major security vulnerabilities. For example, does your app send over internal or external networks to other components? If so, should you be ensuring that these data are protected by encryption and/or digital signatures prior to transport?
When you build a discipline of secure coding, try to utilize the help offered in the form of frameworks within the body of standards. In doing so, you can make your life easier and get better, safer code at the end.
Learn Secure Coding
Thanks to Dr. Steve Hitchen for his advice as an advocate of secure coding best practices on writing this piece
Sources
- How Do Vulnerabilities Get Into Software?, Veracode
- SEI CERT Coding Standards, Carnegie Mellon University
- Security Knowledge Framework, OWASP
- IntelliJ IDEA, JetBrains
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Libraries and frameworks to help you create secure code
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding