A few queries to your favorite Internet search engine will show no end to the advice regarding best practices for secure coding. The good news is that this is an area where the more you know, the better off you are; the bad news is that trying to make sense of all of the information is nothing short of overwhelming .
Luckily, we can summarize those search engine results into 10 best practices for secure coding.
1. Plan Ahead to Prevent Security-Related Surprises
Bug fixes, troubleshooting, and coding practices are not substitutes for proper planning. Because your application is vulnerable during every stage of the development lifecycle, it is important to take the advice given by the Open Web Application Security Project (OWASP) in its Secure Coding Practices – Quick Reference Guide. OWASP suggests you identify security requirements up front, implement a secure software development framework, establish secure coding standards, provide software security training to development teams, and consistently verify the effectiveness of security controls throughout the project lifecycle.
2. Validate Data Input and Other Proactive Measures
If your form is collecting dates (for instance), accept nothing else entered by users of your application. Validate all input fields for length, range, character encoding, character sets, and expected data types.
Filtering out hazardous blacklist characters like parenthesis and special characters is one possible approach, but whitelisting can be more effective. To accomplish this, take advice from the OWASP list of top ten proactive controls. Here are a few of their recommendations for things to do in advance:
· parameterize SQL Queries to avoid seeing your database stolen, wiped, or modified;
· encode your data to ensure special characters are properly handled;
· use regular expressions to ensure all data uses expected and safe characters;
Finally, always using centralized input validation routines future-proofs your application by allowing you to make a single change that updates all of the forms within your application.
3. Control Access to Your Application
Simply stated, always permit the least access possible to the least number of team members. Allow only authorized users to access items like protected URLs, application data, and files.
Always filter requests made by outside parties and third-party services through individual, dedicated accounts. Engage controls that authenticate and verify the identity of all users of the application. Enforce access controls for all application activity and deny access by default).
4. Develop Detailed Error Handling and Logging Files, and Keep Them Secure
Few things are as valuable to developers as detailed error handling and full log files. Just be sure to develop these carefully: trap (and release) error conditions, log successes as well as failures, do not display system information or session identifiers in messages displayed to users (public or otherwise), and do not store sensitive information in logs.
Monitor logs for irregularities and intrusion. Be sure to instruct your team on safe log-review practices. Air-tight applications can be compromised in a hurry by developers insecurely emailing log files back and forth.
5. Update System Design and Network Configuration to Maintain Security
Keeping your servers, frameworks, and requisite system components updated and running the latest approved software versions is critical. But that’s not all you need to do. The following offer definite security benefits: turn off directory listings, remove files and functionality that aren’t required, and restrict network account privileges.
Implementing a change management system will allow you to more accurately track changes made to server and network resources (including security patch levels, service packs, and configuration changes).
6. Secure the Weakest Link: Database Design and Access
Everybody knows that the database is precious, but it is also the most vulnerable piece of your application. One worry is that data could be viewed when it shouldn’t, but don’t discount the damage that can be done by a little sabotage (like injecting false data or dropping entire tables).
Take good care of your database with a few simple rules of thumb: never give write access when read access is enough (there is no harm in utilizing several users with different credentials as required), ensure variables are strongly typed and that all queries are parameterized, close connections as soon as possible, and use stored procedures as much as possible (to abstract data access).
7. Standardize Commenting and Documentation
Very few developers see the value in well-commented code and documentation. After all, it all makes perfect sense to them. Even beautifully formatted code (with consistent indentation) becomes obscured with time, especially as development teams change.
Developers shouldn’t document what the code is doing since that should be self-evident, but instead describe why they are doing it. It’s also important to use meaningful variable and function names and to strive to have self-describing code.
The easiest way to ensure code is written according to your coding standards is to use a static analysis tool to automatically enforce it. One such tool is Checkstyle for Java, which comes bundled with Code Dx’s suite of products—Stat! and Enterprise.
8. Manage Users, Sessions, and Permissions
Users are the reason your application exists, but they are also its greatest security threat.
Don’t let business-card roles dictate your authentication scheme: managers often have the least training but carry the most access.
Be sure to track authentications and prevent concurrent logins with the same user account (and always enforce a timeout for each session, setting a new and unique identifier with each re-authentication).
9. Review, Review, Review Your Security Procedures
Your team has done good work and careful consideration has been given to every security risk—but we are still human, and new vulnerabilities are emerging and evolving all the time.
Let Code Dx do some of the heavy lifting with our software tool that scans for, consolidates, and normalizes software security vulnerabilities. We can give you a quick demo, or you can just download a 14-Day Trial and try it out yourself.
Scan for security vulnerabilities before you deploy your application, following any updates, and at regular intervals to ensure your application stays secure.
10. Keep It Simple, Stupid (KISS)
There is always the temptation to add glitz and glam to applications, especially when trying to impress those footing the bill. Bells and whistles may look nice in a demo, but they make for more to maintain, introduce security risks, and add confusion for your users.
By adopting these best practices as a sort of comprehensive checklist, defending your code is a manageable task for any developer (whether newly minted or a skilled expert).