Application Security

3 errors in the secure coding process

Vulnerabilities are the result of human error. Many don’t like it, but most web application security issues are the result of errors during the coding process.

Therefore, if we think more clearly, the best approach to creating secure software is to do everything possible to avoid errors in the development process.

When we talk about training on the most common mistakes made by developers, we also say that many of the mistakes could be easily avoided by following the guidelines present in various development guides, such as the Open Web Application Security Project (OWASP).

The developer will basically find details on how to proceed with input validation, output coding, access control, communication security, data protection, cryptographic practices, etc.

1. Failures in Education and Awareness

We mentioned above that developers are responsible for the vulnerabilities present in the code.

However, these vulnerabilities are not deliberately left in the code, what we see is that many developers do not have the proper knowledge for creating secure code.

One of the problems we can identify is that even though universities have a focus on teaching details of languages ​​and how they should work, few if any have specific chairs for code security.

This point is even more evident when we have several generations of developers, the older ones were educated at a time when security concerns were much less.

Therefore, in order to ensure that the teams have a more level knowledge, it is necessary to create a leveling and education program for the teams so that in this way everyone has the initial knowledge on the topic.

We talked about this a lot in our article about the importance of training.

However, a major problem is that often the managers of development areas do not have the view that the lack of proper education of their teams carries a very high risk within companies.

A developer without the proper knowledge of security can be trained, educated, but a manager who does not realize the importance of security in his daily life will hardly understand the risks to which he is exposed.

Many managers assume that these professionals already leave the colleges with adequate knowledge to work with safe development, however this is not true!

Certainly, we need to understand that no matter how good our developers are, we will always have new techniques and new attack methodologies, and this can only be solved with a constant training program.

Your developers will make mistakes, and this can be a great learning opportunity.

Do not keep development and security teams at bay, they must work together, they must have common goals. These two teams can learn a lot from each other and this knowledge and opportunity cannot be lost.

2. Lack of validation

Even if your developers are more aware and have more security knowledge, they will still make mistakes.

An experienced manager cannot simply rely on the knowledge of his developers to create secure code, that is not enough.

You need tools to help you identify possible flaws in your codes.

In an ideal development model, we will have tools integrated into the development process and thus conduct code scans whenever the process goes through a stage.

We have already covered tools in secure development processes in one of our articles.

We believe that tools are necessary within the development process, however we must not believe that they alone will be the only solution to our code security problem.

Although, you have a great code scanning tool, you will need a qualified and experienced professional to analyze and validate the results of the tool, so we come back to the issue of training and education.

Although the tests are carried out during the development process, it is necessary to carry out additional tests, which bring the certainty of an operationally safe application.

The goal is to create layers of protection for the software code, allowing coding errors to be identified and corrected more quickly and as soon as possible.

3. Late Tests

To achieve better code security, it is not enough for development to have implemented secure coding requirements or even to have secured coding guidelines, in addition to having built a test infrastructure.

The creation of a secure code cannot be based only on the observance of some principles put forward as coding rules.

A safe code is also the result of a change in mentality and culture and, therefore, the best result will be achieved when the development team understands that thinking about security is also their responsibility.

Developers and their teams should not only feel that they are required to follow a set of rules or guidelines, they must primarily have a legit interest in creating secure code.

Many teams assume that tests will be carried out, that other teams will be looking at the code for errors and / or flaws and therefore do not have to worry about developing the code safely.

These teams need to understand that there is a process and that each of the steps directly or indirectly influences the others and this has an impact.

Assigning responsibilities can and should be assessed by managers.

This does not mean that we are going to punish developers, but it makes them more and more responsible for their code, and this is achieved by making them the owners of the code, they have to understand and think as their final product. 

Don’t just rely on policies

After all we’ve put here, we want you to realize that basing your code’s security on security policies alone won’t be the best possible solution, even if they are necessary.

Security starts with the right thinking when building applications.

About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Phishing scam using Conviso's name: don't fall for it!

In the past few days, a few customers have reported to us that they have been receiving phishing…
Read more
Application Security

Webinar: PIX and the Secure Development

Much has been discussed about PIX, the new digital and instant Brazilian payment system developed by…
Read more
Application Security

Which topics should an AppSec Training Contemplate?

The development market seems to be becoming more and more aware of the need for Application Security…
Read more

Deixe um comentário