Secure coding

Secure coding is the practice of software development that guards programs against security vulnerabilities, and makes it resistant to malicious attacks right from program design to implementation. It is about writing code that is inherently secure, as opposed to thinking of security as a layer which is added on later.

The philosophies behind secure coding include the following:

  • Security is an aspect to be considered right from the design and development of a program or application; it is not an afterthought.
  • Security requirements should be identified early in the development cycle, and these should be propagated to subsequent stages of development of the system to make sure that compliance is maintained.
  • Use threat modeling to anticipate security threats to the system from the beginning. Threat modeling involves the following:
    1. Identifying important assets (code/data)
    2. Decomposing the application into components
    3. Identifying and categorizing threats to each asset or component
    4. Ranking the threats based on an established risk model
    5. Developing threat mitigation strategies

The practice or strategies of secure coding include the following main tasks:

  1. Definition of areas of interest of the application: Identify important assets in code/data of the application which are critical and need to be secured.
  2. Analysis of software architecture: Analyze the software architecture for obvious security flaws. Secure interaction between components in order to help ensure data confidentiality and integrity. Ensure confidential data is protected via proper authentication and authorization techniques. Ensure availability is built into the architecture from the ground up.
  3. Review of implementation details: Review the code using secure coding techniques. Ensure peer review is done with a view to finding security holes. Provide feedback to the developer and make sure the required changes are made.
  4. Verification of logic and syntax: Review code logic and syntax to ensure there are no obvious loopholes in the implementation. Make sure programming is done keeping with in commonly available secure coding guidelines of the programming language/platform.
  5. Whitebox/Unit Testing: The developer unit tests his code with security tests apart from tests ensuring functionality. Mock data and/or APIs can be used to virtualize third party data/API required for testing.
  6. Blackbox Testing: The application is tested by an experienced QA engineer who looks for security loopholes such as unauthorized access to data, pathways accidentally exposing code and or data, weak passwords or hashes etc. The testing reports are fed back the stakeholders including the architect to make sure the loopholes identified are fixed.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.51.145