Define and Apply Secure Coding Guidelines and Standards
In this section of this tutorial, we’ll take a look at defining and applying secure coding guidelines and standards to help you understand the different aspects of secure coding. Organizations that develop software, need to develop policies and standards regarding the development of source code to reduce the number of vulnerabilities that could lead to errors, incidents, and security breaches.
Security of Application Programming Interfaces
An Application Programming Interface (API) allows an application to communicate with another application, or an operating system, database, network, etc.
The Open Web Application Security Project (OWASP) Enterprise Security API Toolkits project includes these critical API controls:
- Access control
- Input validation
- Output encoding/escaping
- Error handling and logging
- Communication security
- HTTP security
- Security configuration
Read more detail about OWASP at www.owasp.org.
Secure Coding Practices
The goal of secure coding practices is the reduction of exploitable vulnerabilities in tools, utilities, and applications. Here are some of the factors related to secure coding:
- Tools: From the selection and configuration of integrated development environments, to the use of static and dynamic code testing tools (SAST and DAST, respectively), tools can be used to detect the presence of source code defects including security vulnerabilities.
- Processes: In fact, processes define the sequence of events. in the context of software and systems development, these process must security-related steps such as peer reviews and the use of vulnerability scanning tools.
- Training: Training in secure development is essential. Unfortunately, secure coding is not a part of university training, therefore organizations must make up for this shortcoming.
- Incentives: Providing incidents will help software developers focus more attention to whether they’re producing code with security vulnerabilities.
Top Ten Software Risks
The top ten software risks cited by OWASP are Injection
- Cross-site scripting (XSS)
- Broken authentication and session management
- Insecure direct object reference
- Cross-site request forgery (CSRF)
- Security misconfiguration
- Insecure cryptographic storage
- Failure to restrict URL access
- Insufficient transport layer protection
- Invalidated redirects and forwards
The developer must keep the goals of secure coding in mind to achieve confidentiality, integrity and availability of information.
It is important for a development team to consider the security vulnerabilities and software security flaws to any stage of SDLC, including:
- Undefined Security Requirements
- Conceptual design with logic errors
- Technical Vulnerabilities
- Poor Coding Practice
- Improper Deployment
- Flaws in maintenance and updating
OWASP Secure Coding Best Practice
- Input Validation
- Output Encoding
- Authentication and Password Management
- Session Management
- Access Control
- Cryptographic Practices
- Error Handling and Logging
- Data Protection
- Communication Security
- Database Security
- File Management
- Memory Management
- General Coding Practices