when developing a software application or an interface for the business, to satisfy the business requirements, the developers may be required to write an application code that handles sensitive data, file systems or even manage memory. Due to lack of security awareness the programs developed sometimes may meet the functional requirement standards & fail to meet industry security standards which may lead to delivery of vulnerable applications or atleast address the insecure software delivery at a very later stage in SDLC when various security controls are introduced as part of release cycles.
Secure coding is a set of best practices to follow in order to produce a secure & stable software. These are techniques that allow developers to securely code while handling various requirements such as processing sensitive data, accessing file systems , granting permissions to resources & so on.It is also important to note that secure coding techniques may reduce the attack surface but doesn’t guarantee a 100% software security as it also depends on few other factors
In this article we are going to look at some of the techniques or security best practices that need to be followed while developing a application.
Few items that require a complete focus here are
The set of languages used for developing applications
Frameworks being used & their references
Libraries used either in-house or external developed
It is also important to have a note of these versions to check use of inbuilt secure or insecure packages.
Standard code : This technique can be used to develop a secure application by following a set of standard coding practices. The obvious example we are all well aware of is a SQL-Injection where some programmers would typically include end user input in construction of a sql query rather using parameterised query structures.
Using Libraries : Depending on the languages / frameworks that are being used it may be possible to make use of a secure library that allows the programmers to directly reference the functions that handles various security requirements. The technology is developed & getting improved everyday, the programmers are not required to write hundreds or thousands of lines of code for fixing a bug.
Custom Code & Custom Libraries : Sometimes it may be easier to develop custom code or libraries that can be reused for producing secure software. This depends on the criticality of vulnerabilities , policies , trust on external resources, satisfying business requirements & so on. In some cases it may be easier to write a custom code that reduces efforts to fix.
in the upcoming series, we will try to get with a list of secure coding practices for some of the critical vulnerabilities. Hope this content is useful for our readers.