Application Security

Secure Coding Practices for Developers

Between multiple deadlines, new product releases, and features, code review can often be pushed to the bottom of the development team’s to-do list.

Still, going ahead without reviewing and testing new code for its performance and security can lead to big short-term or long-term problems.

As customers today increasingly rely on integrated applications, it has become important for development teams to prioritize quality along with security throughout the development process.

Code quality and security are not the same, but they are closely related. In today’s environment of increasing cyber threats, it seems important for developers to prioritize both criteria.

We’ll cover some practices to help you develop more securely with Secure Coding (also known as Secure Programming) practices to be proactive about potential security threats.

Clean and check all entries

Modern web services often interact with various third-party information. As programmers, we know that users insert unexpected things into an application’s inputs.

Ensuring that direct user input is properly validated and sanitized is considered a best practice to prevent injection attacks.

All entry must be considered and treated as potentially dangerous. An example, using PHP code, where there is an SQL injection vulnerability due to lack of input sanitization:

The version with the sanitized input:

Don’t keep secrets in code

We recommend that you verify that the code you are building does not contain any sensitive content. If you need to keep sensitive data such as personally identifiable information or financial details, make sure proper encryption is used.

Having team-wide rules to prevent credentials from being stored as code is a great way to monitor for invalid actions in your developer workflow.

Attention! Sensitive data can also stay in your application’s system memory. If you change a secret on your system, avoid staging it in an immutable data type.

You should also consider regularly inspecting your repositories with tools that scan your codebase for sensitive information through pattern matching.

Check for vulnerabilities in dependencies and external packages

Modern application development relies heavily on 3rd party libraries such as npm, Maven, Gradle PyPI or any similar package manager. For this reason, it is important to ensure that there are no vulnerabilities in these dependencies of your application.

Let’s use Conviso Platform as an example. The platform statically analyzes application code to find vulnerable dependencies that you may be using and helps fix them. By doing this, the platform manages to prevent users from continuing to use vulnerable libraries.

Apply secure authentication

Authentication verifies that internal and external users, services, or entities are who they claim to be. This can be as simple as providing the user with their credentials or the server providing their TLS certificate to verify authenticity.

Authentication does not tell you what a user or service can do, but recognizes the identity of both as true.

Here is an example of this vulnerability in the code indicated by CVE-2019-1937,

Apply the principle of least privilege

This principle states that each module, be it a process, user or program, must have access only to the information and resources necessary for its purpose, within that application.

In this sense, people or processes are only given the minimum privileges and permissions they need to achieve their goals in the system. For example, a site might host admin functionality at the following URL:

https://example-insecure.com/admin

If you don’t apply the principle of least privilege, this can be accessible to any user and not just administrative users who have a link to the functionality in their user interface. In some cases, that sensitive URL might be exposed in places like the robots.txt file:

https://example-insecure.com/robots.txt

However, the application may leak the URL to users. In this example, the URL can be served in JavaScript that builds the UI based on the user’s role:

The advice is to use a single application-wide mechanism to enforce access controls, declaring allowed access for each resource and denying access by default.

Security techniques to add value to your work as a developer

Without knowledge of optimization, security culture, correct tools and processes, software can accumulate code issues that will affect the user experience. Thus, the purpose of this article was to encourage you to seek and study more about security during programming.

By developing software with clean and secure code, you get a product that can be constantly improved, quickly and cost-effectively.

The odds are in your favor as the high-quality, secure code increases the overall value of the product, reducing costs and making upgrades and maintenance easier.

References

Related posts
Application SecurityProduct

Secure Pipeline: Gain visibility and scale your secure development

The market currently expects software to have an increasing delivery speed. However, in order to…
Read more
Application SecurityNews

Conviso acquires N-Stalker and conquers customers in over 30 countries

After 14 years in the Brazilian market, Conviso acquires N-Stalker, conquering not only customers in…
Read more
Application Security

Why should the Product Owner prioritize security during sprints?

In this article, we will address some points that can help you understand why sprint security…
Read more

Deixe um comentário