For organizations more focused on meeting deadlines and ensuring proper functionality, software security is often an afterthought during the development process. Nonetheless, development can be one of the best places to improve an organization’s overall security, especially considering that application vulnerabilities were named as the third greatest security threat facing organizations each of the last two years in an annual InformationWeek security survey.
“In general, addressing the overall security of an application is best left in the hands of a developer,” information security expert Randy George wrote in a recent Dark Reading report. “Yes,Web security proxies and other network security tools will filter out potentially damaging attacks, but these tools are not bulletproof. Developers must make sure that their applications are as close to unhackable as possible when, invariably, an attacker does make it past other defenses.”
Although in many cases the answer for building in better security would be to give developers more time and money, this is not always realistic. At the very least, however, coders can implement some methods to shore up security, including some checks mentioned in George’s report. Seven helpful methods include:
1. Apply a secure coding standard: In a software security guide for SANS, CERT’s Robert Seacord noted that organizations should come up with and adopt a standard for security in their target development language and platform. Whether that standard involves running static analysis checks when new lines are added to a code base, enforcing peer review standards or simply mandating some of the checks on this list, requiring such an approach sets up developers to follow basic security practices at all times.
2. Validate all user inputs: Many injection flaws can be prevented simply by ensuring that the type of information users can input does not stray outside the expected value types. By throwing out non-integer inputs for fields where the only expected inputs are integers, for instance, developers can keep malicious code at bay, George wrote.
3. Avoid dynamic SQL queries when possible: Any database query that accepts and concatenates user input introduces the risk of a vulnerability into an application, George noted. While dynamic queries are not inherently unsafe, it can be difficult to properly sanitize the input to avoid exploits. Rather than designing applications to parse and execute queries on the fly, then, developers should strive to use prepared statements with parameters and strong input validation.
4. Follow the principle of least privilege – really: This rule is commonly cited but rarely rigorously enforced, according to George. In many cases, developers will create a single “super-user” account with full back-end database access to simplify testing and development. Doing so, however, delays one of the most important security decisions and often leaves a risky feature enabled even after release. Instead, developers should think about the specific database operations that users will need to execute.
“Create multiple accounts that have just enough rights to execute whatever stored procedures or parameterized queries are required by your application logic and user/customer needs,” George wrote.
5. Use small, simple design: The software architecture should be security-oriented, and it should include as few places to exploit as possible, Seacord noted. Developers should reduce the overall attack surface by using code refactoring tools to eliminate redundancies and unused or obsolete portions of the code base.
6. Pay attention to automated warnings: Many developers can become inured to the white noise of warnings issued by their compilers or static analysis software, especially on mature projects where warnings may have been accumulating and being dismissed for years. In some cases, these warnings only catch minor slips that have no actual effect on the code’s execution, but often they signal real bugs. Rather than ignoring these warnings, developers should turn them to the highest sensitivity, both Seacord and George suggested. Teams that can then eliminate all these warnings will not only have more assurance of safety but make it easier to locate new problems as more features are added.
7. Employ effective quality assurance: Whether in the form of peer code review, automated fuzz testing or manual user testing, taking the time to expose code to some rigorous circumstances and unexpected inputs helps catch errors and find flaws that may not have been apparent just from line-by-line checks. By making secure development a holistic process, organizations can safeguard applications from end to end.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.