What is secure coding?
Secure coding is the practice of writing code securely so that the final product is protected from security vulnerabilities. While this sounds simple, it is not in reality due to various factors such as Developers knowledge on secure coding, their understanding of risk and the time available before production releases. It is also important to note that secure coding is a practice that any software should go through regardless of what it is built for. It can be Web, Mobile, embedded devices, client software and the list goes on.
Why is secure coding important?
Secure coding helps to protect the software from security vulnerabilities that can be exploited. The end goal of software security is to maintain the confidentiality, integrity, and availability of information resources in order to enable successful business operations and secure coding during software development plays a major role in accomplishing this. Specifically in web applications, following are various risks that are possible due to missing secure coding practices:
Remote Command Execution SQL Injection Cross Site Scripting Deserialization Attacks XML Injection attacks
This is not a complete list of vulnerabilities, but it is of some of the most commonly seen ones. There are several reasons such as Lack of input validation, lack of output encoding, Insecure Access Controls, Insufficient Authentication and Session Management, Insecure use of Cryptography which can lead to insecure software. While there are many insecure practices that cause these vulnerabilities, lack of input validation is one primary source of vulnerabilities in software. This can happen due to the use of insecure APIs that are inherently vulnerable or due to the programmer’s mistakes.
Benefits of secure coding
Let us understand the benefits of secure coding. Secure Software: The direct outcome of secure coding is secure software. A software developed by using secure coding practices prevents attacks in future. Depending on the use of software, vulnerabilities can lead to reputational as well as financial damage. Cost Savings: Following secure coding practices will also help organizations to save cost as it is more expensive to fix security vulnerabilities if they are found after the software is fully developed. Because of these benefits, several organizations have embraced the Secure Software Development Life Cycle process, which includes writing secure code from the initial phases of the software development process.
Insecure and Secure source code examples
In this section of the article, let us go through a piece of code that is vulnerable to SQL Injection and let us also understand how that can be fixed. Vulnerable source code example: If you observe the piece of code highlighted in the preceding excerpt, the application takes user input and concatenates it to the existing SQL query to form the final query. If you notice, there is no sanitization performed on the user input before executing the query thus leaving the application at serious risk. This piece of code is lacking fundamental input validation leading to SQL Injection. To prevent this problem, we must sanitize the user input received from the user before compiling the SQL Query. Parameterized Queries can be used to achieve this, which is shown in the following source code example. try { statement = connection.createStatement(); String query = “SELECT * FROM users where username=’”+username+”‘ AND password=’”+password+”‘”; resultSet = statement.executeQuery(query); if(resultSet.next()) { flag = true; } } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); StringWriter stringWriter = new StringWriter(); PrintWriter printWriter = new PrintWriter(stringWriter); e.printStackTrace(printWriter); ServletResponse response = null; response.setContentType(“text/plain”); response.getOutputStream().print(stringWriter.toString()); } return flag; } Secure source code example: Notice the code highlighted in the preceding excerpt. This time, we are defining the SQL code that is to be executed with placeholders (?,?) for parameter values, programmatically adding the parameter values using preparedstatement.setString(), and then executing the query. try { String query = “SELECT * FROM users where username=? AND password=?“; preparedstatement = connection.prepareStatement(query); preparedstatement.setString(1,username); preparedstatement.setString(2,password); resultSet = preparedstatement.executeQuery(); if(resultSet.next()) { flag = true; } } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } return flag; } If you observe preparedstatement.setString() function arguments, we are casting the input values to string. This will prevent any injected SQL from being executed, as we are properly casting the input to the right data type. As you might have noticed in these examples, a simple developer mistake can lead to serious software security vulnerabilities. Fixing these vulnerabilities is not hard when we have access to source code but, clearly the developers must be aware of the security concepts when writing code to prevent such vulnerabilities in software.
Conclusion
It is apparent that Secure Coding should be an integral part of the software development process and organizations must embrace the practice of writing secure code from the beginning. Developers should also be aware of secure coding practices and risks an insecure software can pose to the organization.
Sources
OWASP Secure Coding Practices Quick Reference Guide – https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP Top 10 – https://owasp.org/www-project-top-ten/ CERT Top 10 Secure Coding Practices – https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices?focusedCommentId=88044413