hile you won’t be writing applications as Linux administrator, understanding secure coding best practices as application security bugs are often used to attack networks, so we are going to give you the low down on how secure applications are created. Before getting into the weeds of secure coding best practices, there are some basics you need to understand first
Secure Coding Best Practices: The Basics
Compiled vs Runtime Code
- Compiled code: Languages like C, C++ or Visual Basic that are optimized with a compiler and converted into an executable file. The compiler checks the program for errors and provides a report of items developers might like to check. Some commonly used compiled programming
- Runtime code: Evaluated, interpreted, and executed as it is runs, like HTML.
- Hybrid languages: A cross between compiled and runtime code.
Understanding Software Development Methodologies
Software development methodologies attempt to give structure to software development projects. Two common models are waterfall and agile. A key difference between the two is that agile emphasizes interaction between customers, developers, and testers during each cycle while waterfall encourages customer interaction during the requirements stage. The reality is that most software development incorporates aspects of waterfall and agile methods.
Waterfall Method: includes multiple sequential stages going from top to bottom. Each stage feeds the next stage, so when you finish one stage, you move on to the next stage. A short coming of the waterfall approach is the lack of flexibility and it is difficult to revise anything from previous stages.The stage names typically used with the waterfall model include:
- Requirements: Gathering of requirements to produce the requirement document, which provides guidance on what the application will do.
- Design: Creating the software architecture and is synonymous with blueprints for a building.
- Implementation: Write the code based on the requirements and design.
- Verification: Quality assurance to make sure the code meets the
requirements. - Maintenance: changes and updates as desired.
Agile Method: Promotes team interaction as a way of creating a working application, collaborating with the customer/product owner, and responding to changes in short order. Instead of distinct phases, agile uses iterative cycles. with each cycle delivering working software. Testers verify the product works with the current features and then developers move on to the next cycle, with each new cycle adding additional features and incremental changes from the previous cycle.
Code Quality and Testing
Software development companies use a combination of tools and testers to verify the quality of the code with the goal of detecting bugs before it goes live. Quality assurance methods include:
- Dynamic analysis: Checks the code as it is running, commonly using fuzzing to send random data to an application. The random data can crash the program or create unexpected results, indicating a vulnerability to fix before releasing the application.
- Model verification: The process of ensuring that software meets specifications and fulfills its intended purpose.
- Sandboxing: Testing programs in an isolated area of your system.
- Static code analyzers: Static code analysis examines the code without executing it and marking potential issues.
- Stress testing: Attempt to simulate a live environment, determining how effective or efficient an application operates with a load.
Software Development Kits and Code Reuse
The responsible reuse of code is a good standard of practice to follow as well used code has gone through internal testing and has survived the use within the application as this saves time and prevents the introduction of new bugs.
Dead code: Code that is never executed or used and can be created by logic errors
Third-party libraries: Are reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform; JavaScript is an example of a third party library, originally developed by Netscape, it was standardized as an open source language.
Software development kits (SDKs) are third-party libraries from a single vendor.
Encryption
Sensitive data, including PPI is often encrypted while in transit and rest in order to prevent the unauthorized disclosure of data. This means that applications need to:
- Decrypt data before processing it.
- Encrypt the data when the processing is done so it can be stored
- Ensure remnants of the data are flushed from memory.
Certificates are used for various purposes such as:
- Authenticating users and computers.
- Authenticate and validate software code.
Error and Exception Handling
Experienced software developers ensure that applications handle errors without failing; the goal is to catch errors while providing user-friendly feedback to the user. If not caught, an error can cause the application to fail and potentially crash the operating system. Poor error handling techniques provide information about an application to an attacker as when an application doesn’t catch an error, it often provides debugging information an attacker can use against the application. There are two important points about error reporting:
- Users error reports should be general: Detailed errors provide information that attackers can use against the system, so the errors should be general. Attackers can analyze the errors to determine details about the system. If application errors are detailed, the inform can let the attacker know exactly what problem is, allowing them to know the system commands to use.
- Detailed logging of errors: Detailed information on the errors typically includes debugging information and logging this information makes it easier for developers to identify and resolve the issues.
Input Validation
Input validation, the practice of checking data for validity before using it, is of the most basic, yet important security steps that developers can implement; it prevents the sending of malicious code to an application by one of the following actions:
- Sanitizing the input
- Remove malicious code
- Rejecting the input.
Client-side input validation: Is quicker to implement and provides a faster user experience, but is vulnerable to attacks as it’s possible to bypass client-side validation techniques:
- Web browsers let users disable JavaScript in the web browser, bypassing client-side validation.
- Web proxy capture the data sent from the client in the HTTP POST command and modify it before forwarding to the server.
Server-side input validation: Takes longer, but is more secure as it ensures the application doesn’t receive invalid data. Many applications use both. Server-side input validation checks the inputted values when it reaches the server. This ensures that the user hasn’t bypassed the client-side checks.
Using both client-side and server-side validation provides speed and security. The client- side validation checks prevent round-trips to the server until the user has entered the correct data. The server-side validation is a final check before the server uses the data.
Common input validation checks include:
- Blocking HTML code: Some attacks insert HTML code within the input as part of an attack; you can preventing the form from accepting HTML code, such as the < and > characters.
- HTML Sanitization: Other input validation techniques attempt to sanitize HTML code before sending it to a web browser. These methods are sometimes referred to as escaping the HTML code or encoding the HTML code. As a simple example, the greater than symbol (>) can be encoded with the ASCII replacement characters (>). Doing so, along with following specific guidelines related to not inserting untrusted data into web pages, helps prevent many web application attacks. Most languages include libraries that developers can use to sanitize the HTML code.
- Implement boundary/range checking: These checks ensure that values are within expected boundaries or ranges; data outside the range as invalid and the application does not use it.
- Prevent the use of certain characters: SQL injection attacks, use specific characters such as the dash (-), apostrophe (‘), and equal sign (=) to hack the database. Blocking these characters helps to prevent these attacks.
- Verifying proper characters: Some fields such as a zip code use only numbers, whereas other fields such as state names use only letters. Other fields are a hybrid; developers can configure input validation code to check for specific character types, and even verify that characters are entered in the correct order using masks.
Ironically enough and probably expected, the the lack of input validation in one of the most common security issues on web-based applications, allowing many different types of attacks.
Race Conditions
Occur when two or more modules of an application or the applications themselves, attempt to access a resource at the same time. Most application developers are aware of race conditions and include methods to avoid them when writing code. However, when new developers aren’t aware of race conditions, or they ignore them, a race condition can cause significant problems. Most database applications have internal concurrency control processes to prevent two entities from modifying a value at the same time
Secure Coding Best Practices: Standard Operating Procedures
Application Provisioning and Deprovisioning
- Provisioning an application refers to preparing and configuring the application to launch on different devices and to use different application services.
- Deprovisioning an app refers to removing it from a device. For example, if a user decides to delete the app, the app should be able to remove it completely. Leaving remnants of the app consumes resources on the device.
Secure DevOps
Building on the agile methods we discussed earlier, DevOps combines the words development and operations; secure devops involves extensive communication between software developers and operations personnel security considerations throughout the project.
As seen in the diagram above, there are a number of processes and tools within a secure DevOps project:
- Automated testing of code: When modifying code, it’s important to test it and ensure that the code doesn’t introduce software bugs or security flaws.
- Baselining: Applying changes to baseline code every day and building code from these changes.The benefit is that bugs are identified and corrected quicker. In contrast, if all the developers applied their changes once a week, the bugs can multiply and be harder to correct.
- Continuous integration: The process of merging code changes into a central repository. Software is then built and tested from this central repository. The central repository includes a version control system, and the version control system typically supports rolling back code changes when they cause a problem.
- Immutable systems: it’s possible to create and test systems in a controlled environment. Once they are created, they can be deployed into a production environment. As an example, it’s possible to create a secure, immutable image of a server to ensure it stays secure.
Version Control and Change Management
Secure coding practices use version control and change management practices to prevent unintended outages.
- Change management: Ensure that developers do not make changes without go through a specific, predefined process, allowing several people to examine the change to ensure it won’t cause unintended consequences. If the customer discovers a bug due to this change after it’s delivered, the developer may be responsible for fixing it, even if it wasn’t authorized.
- Version control: A tool like GIT tracks the versions of software as it is updated, including who made the update and when. Developers check out the code to work on it and check it back into the system when they’re done, documenting every single change made by the developer.
Summary: Secure Coding Best Practices
- The lack of input validation is one of the most common security issues on web-based applications. Input validation verifies the validity of inputted data before using it, and server-side validation is more secure than client-side validation. Input validation protects against many attacks, such as buffer overflow, SQL injection, command injection, and cross- site scripting attacks.
- Error and exception handling helps protect the integrity of the operating system and controls the errors shown to users. Applications should show generic error messages to users but log detailed information.
