parsonsisconsulting

Parsons Software Security Consulting Blog

Secure Coding

with one comment

With 95 percent of Web applications having software security vulnerabilities secure coding has never been more important.

With 95 percent of Web applications having software security vulnerabilities secure coding has never been more important. 80 percent of all web application have cross-site scripting vulnerabilities on them and 62 percent have more dangerous SQL injection vulnerabilities. If organizations follow simple secure coding practices a majority of these vulnerabilities can be eliminated.
With these vulnerabilities eliminated; the attack surface of your organization is greatly diminished ensuring the confidentiality, integrity and availability of your business critical web applications.
This article will talk about high-level application security concepts, Java security, .NET security, and web application security vulnerabilities and remediation steps.
Secure coding has to be implemented early in the software development process to ensure the application is secure and free from most vulnerabilities. Security is based on the remediation of design flaws and bug flaws.
Bug flaws are the Cross Site Scripting vulnerabilities and SQL injection vulnerabilities were design flaws are the improper use of authorization and cryptography to protect a web application. Both bugs and design flaws must be remediated to have a secure application.
Secure coding starts with senior management implementing a secure coding culture and giving developers the time and the tools to remediate software security vulnerabilities. Education is always important. A developer must be taught to write secure code in order for your application to be secure. Lunch and learns and training help. Online training is a good way to train many developers the basic concepts of secure coding. Individual specialized training is great to teach developers beyond the basics and the secure coding concepts in the language that they program.

In the above figure it is a good idea to have defense in depth in order to protect the business critical application.

A short checklist of what developers’ should and should not do in beneficial in remediating software security vulnerabilities. An example of this would be that all developers must validate all input and use parameterized queries. A not requirement would be that all developers cannot use MD5 hashing to protect sensitive credentials. Instead they should use something stronger as SHA-256. Telling the developers what they should and shouldn’t do is only beneficial if you show that what could and will eventually happen if they do not follow secure coding policies. A good checklist is as follows:

1. Where is the application? Where does it reside?
2. Who uses the application? What is the use case scenario?
3. Who are the attackers?
4. What does the application do?
5. What are the vulnerabilities in the application?
6. Implement policies that are already being used BSIMM.
7. Use automated review for large applications.
8. Create a secure coding check list.
9. AUDITING AND LOGGING
10. COOKIES AND PASSWORDS
11. TECHNOLOGIES THAT CAN NOT BE USE
12. ATTACKS ON SESSION
13. WHAT COULD AN ATTACKER DO TO YOUR APPLICATION
14. PASSWORD POLICIES
15. GETS AND POSTS
16. ACCESS CONTROL POLICIES
17. VALIDATE ALL INPUT
18. UPLOADS AND DOWNLOADS OF FILES
19. PREVENT XSS
20. PREVENT SQL INJECTION
21. INFORMATION LEAKAGE
22. APPLICATION DENIAL OF SERVICE
23. DOCUMENT SECURITY
24. CENTRALIZE SECURITY
25. CODING RULES
26. TESTING

With training secure coding should be implemented early in the development process whether you are using traditional waterfall methods or agile methods. Implementing security in the requirements and design phase is much more effective than bolting security on once the product is released.
SD3 is important to follow. Secure by design, secure by default and secure by deployment. Following SD3 ensures a holistic approach to application security. Having security best practices like running production applications with least privilege and using white list regular expressions for validation is also helpful. In order to reduce the attack surface of the application it is necessary to only use services that your application requires. The server administrators must turn everything else off. Too often applications are attacked by insecure unused services.
If there is only one aspect of secure coding that needed to be remembered it would be not trusting input and validating all input. This is important whether the input is coming from a user or a system in your web application. User input must be sanitized and checked with length checks, range checks and format checks. It is necessary to use defense in depth and learn from mistakes when attacks happen. Manually reviewing source code with peer code reviews and static code analysis find security bugs early. Threat modeling and use case scenarios find design bugs early. Having an internal application security department or third party test the web application with penetration testing and ethical hacking verifies the vulnerabilities have been fixed to an acceptable level to publish the application to users.
Secure code must be: seamless, easy to understand, cognizant of attack, unobtrusive, resilient, error tolerant.

One Response

Subscribe to comments with RSS.

  1. secure coding must be implemented in all stages of an application development life cycle and i feel with the help of accurate training plan developers can effectively secure the application.

    Dot Net Training In Mumbai

    February 14, 2014 at 7:43 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: