- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Glossary
Secure coding is a set of practices that applies security considerations to how software will be coded and encrypted to best defend against cyber attack or vulnerabilities. Defects, bugs, and logic flaws are the primary cause of commonly exploited software vulnerabilities, and security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. Secure coding standards introduce safeguards that reduce or eliminate the risk of leaving security vulnerabilities in code.
After defining a project and its requirements for both users and systems, considerations on best practices and plans for secure code are determined and implemented with these requisites in mind. At the build phase in the software development lifecycle, secure coding practices combined with early phase security measures—like static application security testing (SAST)—help ensure that security programs penetrate across technology layers.
Secure code will help to prevent many cyber-attacks from happening because it removes the vulnerabilities many exploits rely on. If your software has a security vulnerability it can be exploited. The WannaCry ransomware attack of 2017, exploited a Windows protocol vulnerability.
Insecure coding practices not only leave your customers at risk, but they will impact the reputation of your company. This is why it is important to have secure code.
1. Insufficient Logging and Monitoring: Insufficient logging and monitoring processes are dangerous. This leaves your data vulnerable to tampering, extraction, or even destruction.
2. Injection Flaws: Injection flaws occur when untrusted data is sent as part of a command or query. The attack can then trick the targeted system into executing unintended commands.
3. Sensitive Data Exposure: Sensitive data — such as addresses, passwords, and account numbers — must be properly protected.
4. Using Components with Known Vulnerabilities: Components are made up of libraries, frameworks, and other software modules. Often, the components run on the same privileges as your application. If a component is vulnerable, it can be exploited by an untrustworthy agent.
5. Cross-Site Scripting (XSS): Untrustworthy agents can take advantage of cross-site scripting flaws to execute their own scripts in the targeted system.
6. Broken Authentication: Authentication and session management application functions need to be implemented correctly. If they aren't, it creates a software vulnerability that can be exploited by untrustworthy agents to gain access to personal information.
7. Broken Access Control: User restrictions must be properly enforced.
8. XML External Entities (XXE): XML is a popular data format that is used in web services, documents, and image files. You need an XML parser to understand XML data. But if it's poorly configured and the XML input that contains a reference to an external entity, it's dangerous.
9. Security Misconfiguration: Security misconfigurations can be a result of: Insecure default configurations, Incomplete configurations, misconfigured HTTP headers or detailed error messages that contain sensitive information.
10. Insecure Deserialization: Deserialization flaws often result in remote code execution.
Data input validation: This covers numerous aspects of data source and data validation. For example, the length and date range of a piece of data. Data validation checks help to secure web applications from cyber-attacks.
Authentication and password management: Coding also involves software architecture.
Cryptographic Practices: The guide suggests that any cryptographic modules used, be FIPS 140-2 or an equivalent standard compliant.
Error Handling and Logging: This is a crucial area and one that if not coded securely can leak data.
Data Protection: The guidelines for the protection of data include advice on storing passwords securely and how to avoid data leaks via HTTP GET.
Communication Security: Advisories on how to protect data during transit, for example, using TLS connections.
Adopt a secure coding standard. Develop and/or apply a secure coding standard for your target development language and platform.