Secure Coding Guidelines And Best Practices For Developers

This tutorial explains Secure Coding, how to avoid Security-related Vulnerabilities, and Provides Coding Guidelines & Checklist for Secure Coding Practices:

To have security built in the software and to implement Secure Coding Guidelines and Best Practices, the entire organization along with the team identified to work on the intended Application Development needs to consider certain aspects.

Here, we will discuss those aspects that help to develop a secured software.

Secure Coding Guidelines

It is as simple as that if a developer does not know what is meant by ‘Security for the software’ and how a hacker can hack their software, take control of it & try to exploit then it’s simply impossible to code a secure software. So, the developer must first understand the meaning of Secure Coding.

What Is Secure Coding?

Secure coding is to design and develop software by avoiding the weaknesses that lead to security-related vulnerabilities by adhering to the specified security standards, and industry best practices.

The very first question that arises in everyone’s mind is ‘How much Security is required for our Software’ or When can we say our software is Secured? and What are those security standards?

Frauds and security threats are increasing day by day and we are seeing new varieties and ways of hacking, even in the so-called most secured software.

Recently we heard UIDAI‘s Aaadhar program getting tampered for personal data. Hence it is really difficult to know how much security is required for the software and what are the security standards unless we understand the threats involved in the software and prioritize them based on the risks to the business.

It may be possibly difficult to provide 100% security protection to the software, but if the Program Team analyzes the Risks and Securities that are involved in their software i.e. potential threats and if the team can take care of mitigating those risks, then it would be good from the security point of the application.

Thus, the very first task for the team is to identify and analyze the risks and securities that are involved in their application and understand the possible mitigation options and adopt the best option accordingly.

So, once identified the top ten vulnerabilities classify almost all of the attacks that a program is likely to face. This will help to make sense of the threats and prioritize the security and development efforts more towards prevention than mitigation.

E.g. While we are planning to develop a healthcare-related app, that handles and stores the individual’s health data and their personal information, the top most security risk for the application is to steal the personal health data.

Risk Mitigation

To mitigate the risk,

  • Implementation of security for access to data by an unauthorized user needs to be handled with proper authentication and authorization (strong password policy implementations, 2 Factor Authentication).
  • Care needs to be taken to ensure that there is no data leak during transmission of data from one source to another source by implementing secured channels (HTTPS) of data transmission and implementing data encryption during transit.
  • Tampering or stealing of data at rest is also another possibility. Hence, storage of personal health data (Using encryption) is very essential.

Before going to the ‘Secure Coding Standard’, it is always better for the entire program team to have a ‘Security Awareness Session’ and discuss and brainstorm about,

  • The requirement of security for their specific product.
  • Possible benefits that a hacker would have by hacking their system.
  • Possible ways and means of security compromises of their application.
  • Common Security Practices followed in a similar industry and domain.
  • Understanding of typical security issues of their respective programs.

It also helps the team to handle better, if they can understand the Sources of the Vulnerabilities that their software can face and the reasons due to which the software is built with Poor/Inadequate Security.

Reasons For Inadequate Security Implementation

In general, the following are a few reasons for inadequate security implementation in the application.

  • Priority is given for Functional Release than Security aspects.
  • Ignorance or No Awareness about Software Security and Hackers.
  • Not enough clarity on the Program or on the Software Design itself.
  • The complexity of the Program.
  • Not enough data, information on the live system where it will be deployed.
  • No consideration of Security in the SDLC phases.
  • Insufficient knowledge and understanding of the specifics of the language used in the software.
  • Not enough knowledge to the team and developers about Security Coding Guidelines.

We know that it is not that all Developers and Testers are aware of the Security of an application and may not have an in-depth understanding of security vulnerabilities and exploits, especially to the application that they would be working upon. Generally, they will be familiar with, ‘How to code functionally’ but not all of them know ‘How to code securely’.

Hence the very important aspect for the organization to adopt Secure Coding Practices in their software is to first ‘Train People’. So, training their team on Secure Coding Aspects, Best Security Coding Practices and the Correct Tool usage is very important.

The most important Design Principle of Software Security is to ‘Implement Security by Design and Default’.

Secure Coding Guidelines

To achieve security, it is very essential to have a ‘Secure Coding standard’ identified for a program at the very beginning of the application development, and this helps the team in taking care of the Secure Defaults for the software and help to protect it from the attacks.

It is essential to ensure that the entire team is Enforced to Adhere to this Standard, irrespective of the coding language, and the tools that they are using in the program.

Given below are a few examples that need to be implemented by default in the secure code design:

  • Access should be restricted to authenticated users only and authentication needs to be implemented at every layer.
  • The communication channels need to be encrypted to protect authentication tokens.
  • All keys, passwords, and certificates need to be properly stored and protected.
  • File encryption, database encryption, and data element encryption need to be implemented.

Language Selection For Secure Coding

The language selection for coding may not be dependent on secure coding. There is nothing specific as a secured or unsecured language for coding to build a secured software.

It is just how we use a programming language to build the software and how much in-depth knowledge the developer has about the coding language in implementing security aspects.

However, it is clarified that, though Secure Coding Standards are independent of the selection of the language, the Secure Code Best Practices are language-dependent, Platform dependent, and Implementation dependent.

Thus, to have a Secure Code, it is essential for the Developer to have in-depth knowledge of the language that is being used in the program, so that the security best practices can be implemented easily.

Example:

  • The probability of buffer overflow vulnerability differs from language to language, but C, C++, and Assembly are considered most susceptible due to their outdated memory management capabilities. Several standard C lib functions, such as strcpy() and memcpy(), are vulnerable to buffer-overflow attacks. Incorrect usage of these functions, by copying a source buffer that is too large to fit into the destination buffer results in buffer-overflow.
  • The common problem in Java-based web applications is the possible resource leaks that can occur due to open system resources, such as a file, socket, and database connections.

Next aspect of security is about the tools to be used in the Application Program to optimize security, using tools such as Integrated Development Environments will be most beneficial as they provide a lot of Alerts to users and bring attention to those alerts to try and improve the quality of the software.

  • Integration of commercial or Open-source libraries/plugins such as Eclipse, Spring Tool Suite, RAD with IDE helps the developers to write secure code by detecting and identifying potentially vulnerable code and provides alerts on findings related to malicious file execution, information leakage, and improper error handling.

It is also essential to use the Static and Dynamic Analyzers to improve the Security aspects of the software. Generally, Static analyzers are optimized for specific types of error, so they end up finding a large number of false positives while identifying specific errors. Sometimes there are possibilities that they miss the actual errors too.

Hence it is recommended to use multiple Static Analyzers to get better coverage of different types of errors and to avoid a lot of false positives. At times, it is also recommended to carry out manual testing to eliminate false positives.

Secure Coding Rules And Recommendations

It will be good for the Program to define a set of ‘Secure coding Rules and Recommendations’ to which the source code can be evaluated for compliance so that the testers can carry out the ‘Conformance Compliance Testing’ for each of these secure coding standards.

Hence the security code can be certified as Conforming or Non-Conforming using those rules against the set benchmark.

Few of the rules mentioned below can be used to check for security violations:

  • Files need to be closed when they are no longer needed.
  • Whenever passing a structure across a boundary, information leakage needs to be avoided.
  • Objects should be declared with appropriate storage durations.

So, test cases to verify these rules need to be designed and carried out to check the conformance compliance. It is also identified that most of the vulnerabilities are caused by typical common programming errors.

Hence, the Developer needs to understand ‘Insecure Method of coding’, while they also learn the best practices of Secure Coding. It is ideal to gather the most common programming errors that contribute to the security vulnerabilities of their application so that they can be taken care of while coding.

Such typical programming errors are contributed mainly from buffer overflows, cross-site scripting, and injection flaws.

Some of the typical programming vulnerabilities include,

  • SQL Injection (Improper Neutralization of Special Elements used in an SQL Command).
  • Integer overflow.
  • Buffer overflow (Buffer Copy without Checking Size of Input).
  • Uncontrolled format string.
  • Missing authentication and authorization (Incorrect authorization).
  • Sensitive data exposure.
  • Improper error handling.

Some of these errors may lead to system crash, unanticipated access to the system, and the control of the software being lost to the hackers.

Common Programming Errors To Be Avoided

Few common Programming Errors that need to be avoided are listed below:

  • Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).
  • Buffer Copy without Checking the Size of Input (‘Classic Buffer Overflow’).
  • Missing Authentication for Critical Function.
  • Missing or Incorrect Authorization.
  • Use of Hard-coded Credentials.
  • Missing Encryption of Sensitive Data.
  • Unrestricted Upload of File with Dangerous Type.
  • Reliance on Untrusted Inputs in a Security Decision.
  • Execution with Unnecessary Privileges.
  • Cross-Site Request Forgery (CSRF).
  • Download of Code Without Integrity Check.
  • Incorrect Calculation of Buffer Size.
  • Improper Restriction of Excessive Authentication Attempts.
  • URL Redirection to Untrusted Site (‘Open Redirect’).
  • Uncontrolled Format String.
  • Use of a One-Way Hash without a Salt.

Checklist For Secure Code Practices

Last, but not the least, after considering all the above points of Secure Software Development aspects, the Developers need to follow the Checklist established for the Secure Code Practices to ensure that things are not missed out. Given below are a few but not an exhaustive list.

Input Validation:

  • Do not trust input, consider centralized input validation.
  • Do not rely on client-side validation.
  • Be careful with canonicalization issues.
  • Constrain, reject, and sanitize input. Validate for type, length, format, and range.

Authentication:

  • Partition site by anonymous, identified, and authenticated area.
  • Use strong passwords.
  • Support password expiration periods and account disablement.
  • Do not store credentials (use one-way hashes with salt).
  • Encrypt communication channels to protect authentication tokens.
  • Pass forms authentication cookies only over HTTPS connections.

Authorization:

  • Use least-privileged accounts.
  • Consider authorization granularity.
  • Enforce separation of privileges.
  • Restrict user access to system-level resources.
  • Use OAuth 2.0 protocol for Authentication and Authorization.
  • Carryout API Validation.
  • Whitelist allowable methods.
  • Protect privileged actions and sensitive resource collections.
  • Protect against Cross-site resource forgery (CSRF).

Session Management:

  • Create a Session identifier on the server.
  • Terminate the session with the Logoff.
  • Generate a new session on re-authentication.
  • Set the ‘secure’ attribute for cookies transmitted over TLS.

Cryptography:

  • Use cryptography while ‘Data in transit, Data in storage, Data in motion, Message Integrity’.
  • Do not develop your own. Use tried and tested platform features.
  • Keep unencrypted data close to the algorithm.
  • Use the right algorithm and key size.
  • Avoid key management (use DPAPI).
  • Cycle your keys periodically.
  • Store keys in a restricted location.

Logging and Auditing:

  • Identify malicious behavior.
  • Know what good traffic looks like.
  • Audit and log activity through all of the application tiers.
  • Secure access to log files.
  • Back up and regularly analyze the log files.

Output Encoding:

  • Carryout ‘Input Validation (XML, JSON….).
  • Use Parameterized query.
  • Carry out ‘Schema validation’.
  • Carry out Encoding (XML, JSON..).
  • Send Security Headers.

Reference: OWASP Secure Coding Practices Checklist (In short, SCP Checklist)

Tabular Summary Of Secure Coding Checklist

The below table summarizes the ‘Things to Remember for Secure Code’ of an application.

#What?
1To understand clearly, ‘What Secure Code is’?
2To understand the common ‘Sources of the Vulnerabilities’ .
3To conduct ‘Security Awareness Session’ to the team.
4To identify and analyze ‘Risks and Securities’ involved in the application and methods to ‘Mitigate’.
5To ‘Train the Team’ on Secure Coding Standards, Best Practices and guidelines.
6To define ‘Secure Coding Standard’
7To ensure that entire team is Enforced to Adhere to the Secure Coding Standard.
8To use ‘Easy to Implement Language’ and have ‘in-depth knowledge’ of it.
9To use IDE (Integrated Development Environment) tools
10To use ‘Static and Dynamic analyzers’ and ‘multiple Static Analyzers’ to eliminate ‘False Positives’
11To carry out ‘Manual Testing’ wherever required to identify the error, miss outs.
12To define a set of ‘Secure Coding Rules and Recommendations’
13To carryout ‘Conformance Compliance Testing’ for the set rules.
14To understand ‘Insecure method of coding’ and gather ‘Common Programming Errors’.
15To strictly follow ‘SCP Checklist’

Conclusion

We hope this tutorial will be your best guide for ensuring Software Security.

The coding guidelines for secure software development were listed here in simple terms with examples for your easy understanding of the concept.

Happy Reading!!