10 Best Practices for Secure Coding
To ensure that you build and deploy the most secure software possible, Orthus recommends the following best practices for secure coding:
1. Validate user input
Never assume that input from HTML forms is valid. Just because you gave the user only hidden fields or pull downs, or you had JavaScript to validate every input, does not guarantee the input will not be tampered with. A hacker with a simple local Web proxy can change anything they want after the JavaScript executes.
Verify that all input from the user contains valid characters and represents a valid value before using that value in your application. Check it early in the processing of the request to avoid accidental use before the validation is done. Also, check it at multiple levels (see defence-in-depth, later). Be restrictive. You can always ease up on the restrictions. It’s harder to tighten up the validation rules later, as you may have already stored user data that would no longer be valid.
2 Escape input values
Implementing any code that creates file paths, HTML, SQL statements or other strings that another subsystem parses requires care. User input may contain characters that allow a hacker to cause your application to pass invalid strings to those subsystems that result in unauthorized access.
Unless you disallow all special characters in your input validation, you will need to make sure you properly escape or in some other way, account for special characters in the target subsystem (see the documentation for the subsystem in question for definitive escape requirements). For example,
- in inputs used to calculate file paths: /, . or ..
- in strings used to calculate or display HTML: >, <, “, &
- in strings used to calculate SQL statements: ‘, “,
Many runtime environments already provide functions to escape these inputs. Use techniques like parameter substitutions in the database interface rather than building up query strings using concatenation. Leverage this and other layers of protection that system components provide.
3. Fail Safe
When making decisions that affect security, it is important to write code to deny access by default. Only allow access after confirmation that the user has proper authorization to proceed. Also, avoid the use of negatives. It is too easy to get the sense of logic wrong. The code above would be clearer if the local variable reflected the same sense as that of the method being implemented.
4. Treat sensitive security information with care
Be mindful of the type of information being handled. If the information is sensitive, take special care in the code than handles it. Breaches that reveal information such as passwords, PINs and personal data can be disastrous.
Make sure this information is only stored in appropriate locations. For instance, never write to an application or system log any of the user’s personal information (password, SSN, credit card numbers, etc.), as these logs may be readable by operational personnel who should not have access to that personal information. Write only enough information about the user to identify within the application which user made the request.
Encrypt the sensitive data stored on mass storage. Storing clear-text passwords in a database, for instance, means that a hacker who simply gains read access may have all the keys to the kingdom.
Only store the hashed copy of the password and use this to compare with the hashed user input (these values should also be salted to increase the work required for a dictionary attack).
Inevitably, there are clear-text copies of the user input in memory, often on the heap long after the code runs, and maybe on the paging file of the operating system. Keep the length of the code path used to process the clear-text password as short as possible. Also, clear the contents of this local memory storage within the same block as the declaration of that storage. This will help keep the clear-text passwords off the stack and heap.
5. Practice defence-in-depth
Protect your application in multiple ways. Do input validation with the tools the application environment provides. In addition, write your code to assume the input validation might fail. This costs little in terms of code or performance, but makes the code more robust in the face of failure.
6. Minimise error message information
Provide intelligible, useful error messages to your users, but keep the details in the log file. For example, users don’t need to know about database operations or details of the errors encountered. A safer approach is to tell the user something went wrong, but only provide the details in the log.
7. Good comments
Good comments in code are a major help in maintaining code – if they help make the code clearer. Many developers know they should add comments and so they take the easy way out and add comments saying what the code does. The code is right there. Readers can see what it does – these comments are not what they need. Tell them why decisions are being made the way they are. Help the reader understand the code.
8. Study patterns
When reviewing code, you can often find logic errors that may affect security by watching for patterns in the source code and looking for exceptions to those patterns. For instance, in the following code:
if (result == CASE_1) return(VALUE_1);
else if (result == CASE_2) return(VALUE_2);
else if (result == CASE_3) return(VALUE_3);
else if (result == CASE_4) return(VALUE_4);
else if (result == CASE_5) return(VALUE_2);
/* otherwise we’re good to go with the default */
return (VALUE_0);
The next to last return statement looks suspicious. It could be a cut and paste error. It could be a logic error and cause the return value to mislead the caller into providing access to something that should be denied – e.g., a list of employees rather than a list of distributors.
9. Have someone review your code
Find someone else to review your code and offer to reciprocate. Having someone else read through your code almost always results in them asking you questions. The ‘what if?’ and ‘why that way?’ questions make you think about and justify your choices outside the more solitary activity of writing the code. This change in context provides an opportunity to step back and take a fresh look at your work.
10. Study defects
When a security-related defect is found in your code, try to understand the cause. Study the defect and try to determine how you would have done things differently. When another developer makes the change, understand the changes that they made – maybe there’s another way to fix it other than what you chose. Over time you’ll be able to recognize the patterns of these defects and generalize the solutions. Part of what you should strive for is to not make the same mistake. Learn from your mistakes and the mistakes of others.
Sean Bennett is Commercial Director at Orthus limited (http://www.orthus.com). Orthus is a leading provider of information risk professional services, helping orgnisations globally to measure, minimise and manage the information risks they face. Orthus provide end to end services for clients to comprehensivly address risk in their environments including Insider Threats, addressing issues including data leakage, sabotage and fraud; External Threats (http://www.orthus.com/dr_overview.htm) including wireless security, penetration testing, virtualisation security, vulnerability management and Secure Software Development Life-Cycle; Supply Chain Threats including securing cloud services and data processed by third parties; and Legal and Regulatory challenges including Payment Card Industry (PCI) Data Security Standard (DSS). Article Source:http://www.articlesbase.com/security-articles/10-best-practices-for-secure-coding-981947.html
Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!
If you enjoyed this post, make sure you subscribe to my RSS feed!
Related Posts - US Defense Funds $4 million on telepathy project code “Silent Talk” Ever since the time of World War II, Studies related to military applications combining brain-computer interfacing and new communications technology, have been the subject of ongoing interest in Defense Intelligence Agencies. Recently US Defense Advanced Research Projects Agency (DARPA) announced a budget funding of $4 million for a program called......
- Computer Security and its role INTRODUCTION The paper explores the role of Pass word, Anti virus and data encryption in computer security. It has been discussed that passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword. Sentries would only allow......
- Information Security Software : E-Signatures E-Commerce (EC) The conducting of business communication and transactions over networks and through computers. As most restrictively defined, electronic commerce is the buying and selling of goods and services, and the transfer of funds, through digital communications. However EC also includes all inter-company and intra-company functions (such as marketing, finance,......
- Presto Tuneup is a Fake Windows Registry Cleaner Presto Tuneup is a fake system optimization tool and Windows registry cleaner. Like rogue security programs, it displays many alerts to the user informing them that serious registry errors exist, and should be repaired. Like bogus antispyware programs, this one is created for the purpose of making the user believe......
- Malware Cleaner Will Take You to the Cleaners Malware Cleaner is a rogue security application of Russian origin. This program is invented by hackers for the sole purpose of robbing innocent users of their money. Although it indicates that it can remove security threats and infections from your computer, it cannot. It is a security threat within itself,......
Related Websites - PPC Free Advice There is no mystery to usability. It simply involves creating a site, The PPC Money Parking which is accessible to the majority of people, is easy to use and get around and delivers on its promises. You can have a site that meets the most important standards of usability by......
- Internet Marketing and SEO Search engine optimization (SEO) should be considered a critical element of any Internet marketing strategy. This is important because there is so much which can be gained from SEO in terms of Internet marketing and advertising. Failure to optimize your website for search engines can result in a considerable loss......
-
Why Linux Is More Secure Than Windows [/caption] "Security through obscurity" may be a catchy phrase, but it's not the only thing that's catching among Windows users. The expression is intended to suggest that proprietary software is more secure by virtue of its closed nature. If hackers can't see the code, then it's harder for them to...... - LinkAdage’s Take On Google's New Search Engine Patent Has Google thrown the cyber world a curveball? Let's fill in some blanks and connect a few dots regarding the recently-filed patent application for Google's latest Search Engine algorithm - Search Engine 125. For those unfamiliar with the inner workings of search engines, each Search Engine uses its own unique......
-
WordPress Fans: Time for Advanced Plugins? Do not let the name scares you off, if you can follow simple instructions, copy-and-paste, you can Plug-and-Play (or in this case: Plug - and - Post, Plug - and- Blog) those plugins. Most of those plugins are Back-End so you will see them working in your Admin Panel, and......
« Spyware – Understanding and Addressing The Risk – Part One | Home | Social Engineering: The Do’s & Don’ts »
Leave a Comment