Enterprise Secure Coding Programme
regardless of your size.
More than ever before, we must be diligent about our Application Development practices. In today's fast paced, highly competitive Internet environment, it is expected that your Corporate Applications not only look and feel "modern", but are also built to work on a multitude of platforms. Gone are the days when you can write an application to "work best" on Internet Explorer. Apps must present a consistent user experience across various browsers and platforms. This diversity of endpoint systems increases the potential for vulnerable code to be exposed.
Coding Securely needs to be a Corporate Culture, supported from the Top down. Every layer of employee has a role in this practice. An application built from the ground up on the principles discussed below will spend a lot less time in "vulnerability management", and a lot more time in building and releasing features.
I'm going to structure this discussion by addressing the responsibilities of each Business Role at a high level, then break each one of these down, further on.
- Adopt, Publish, and Test a Corporate Coding Best Practice
- Base your Application Development Practice on your Business Core Competencies
- Adopt an Existing Application Framework
- Adopt and support Revision Control Religiously
- Ensure that a trusted Application Testing Methodology is in place.
- Review, comment, and test the Corporate Coding Best Practice
- Develop and publish a Standard Naming Convention for Coding
- Ensure that your team is only developing to your Business Core Competencies
- Use an Existing Application Framework
- Use Revision Control Religiously
- Maintain Reusable Code Libraries
- Understand and implement Release Planning
- Do not support reinventing anything
- Support the Corporate Application Testing Methodology
- Read and understand the Corporate Coding Best Practice
- Print out the Coding Best Practice stick it on your refrigerator door!
- Understand what your Business Core Competencies are... Write code for THAT!
- Use an Existing Application Framework
- Use Revision Control Religiously
- Do Not reinvent anything
- Participate in the trusted Application Testing Methodology
- Ensure that the Corporate Coding Best Practice is being followed
- Enforce Revision Control
- Conduct Peer Code Review
- Participate in the trusted Application Testing Methodology
- Validate Security Controls through Application Security Testing
- Adopt and manage to a Release Life Cycle
First of all, download and read the following!
(Then print it out, stick it on your fridge, and read it every morning!)
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
- Input Validation: - ensure all input in forms are type,length, and context validated.
- Output Encoding: - ensure that all output requests to your backend follow the rules
- Authentication and Password Management: - ensure corporate standards are met
- Session Management: - carefully manage,secure, and log user sessions
- Access Control: - ensure "Least Privilege Principle" is adhered to
- Cryptographic Practices: - use industry-tested and accepted standards and algorithms
- Error Handling and Logging: - ensure logs are auditable, traceable, and of high intergrity
- Data Protection: - ensure sensitive data is protected both in motion and at rest.
- System Configuration: - ensure that you "harden" your application as well as the OS it resides on
- Database Security: - protect your back end. Again ensure "Least Privilege Principle" is used
- File Management: - misconfiguration in could reveal confidential information about access credentials
- Memory Management: - ensure that memory that is allocated is protected, and subsequently freed
Unless you are in the business of developing either of these... Don't.
Glad I got THAT off my chest.
Release Planning:
A software release life cycle is the sum of the phases an application goes through from its initial development, through testing, to release, and back to development for feature updates, and bug fixes.
Application Framework:
Depending on what language you are developing in, there are many existing established Application Frameworks. An application Framework is a library of software that has been developed to take care of the tedious tasks of managing input/processing/output for various target systems.
Many current frameworks use the Model-View-Controller architecture to segment and manage their application code.
An easy way to understand MVC: the model is the data, the view is the window on the screen, and the controller is the glue between the two. -- ConnellyBarnes
- Model - This is your Business Logic. Workflow, Database
- View - This is your Presentation Logic
- Controller - This is your Application Logic
Reusable Code Libraries:
Where possible, reuse functional code modules both within and application, as well as between applications. Maintain these functional modules in a library where Business Units can share and improve.
(See "Do not reinvent the wheel" Below)
Where possible, reuse functional code modules both within and application, as well as between applications. Maintain these functional modules in a library where Business Units can share and improve.
(See "Do not reinvent the wheel" Below)
- Understand the architecture of the original code to identify the components, boundaries, and interfaces
- Determine what is potentially reusable
- Estimate the time to reuse versus rebuild the components
- Make a decision on a component by component basis on what to reuse and how to reuse -no change, minor update, major update
Application Testing Methodologies:
Any application being developed must go through a series of testing regimes and criteria to be considered ready for production. Typical testing includes:- Usability testing: - validates that an application is designed to make tasks easier
- User acceptance testing - make sure your application meets the expectations of the user
- Performance testing - does the application perform well under various loads
- Stress testing - To determine the maximum performance limits of an application
- Scalability testing - how adaptable is the application to changes in software and hardware
- Load testing - To get an idea of how the application behaves under a heavy load
- Security testing
- Static- Static testing involves doing a static code analysis to check for any vulnerabilities
- Dynamic - run the app to see if the response is as expected for the associated request
- Functional testing - ensures that individual functions are working well
- Interface testing - ensures that individual components are connected properly
Do Not Reinvent the Wheel:
Reinvent the Wheel Often According to O'Reilly's 97 Things Every Programmer should know... Their arguement is as follows:
"Reinventing the wheel is not just an exercise in where to place code constructs: It is how to get an intimate knowledge of the inner workings of various components that already exist. Do you know how memory managers work? Virtual paging? Could you implement these yourself? How about double-linked lists? Dynamic array classes? ODBC clients? Could you write a graphical user interface that works like a popular one you know and like? Can you create your own web-browser widgets? Do you know when to write a multiplexed system versus a multi-threaded one?....."Which is great if you are coding your own project on your own time, if you are a student, or researcher, or if you are in fact reinventing code within the context of your Business Core Competencies to identify and fix a deficiency. However, if you are a paid developer, and simply want to rewrite a new framework or module because you believe you can do it better... you are not doing your Company a service. Companies work on a Time to Market mentality. By utilizing trusted existing frameworks and Open Standards, you can get your application developed, tested, and published quickly.
(Then print it out, stick it on your fridge, and read it every morning!)
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
http://net.tutsplus.com/tutorials/html-css-techniques/top-15-best-practices-for-writing-super-readable-code/
Tips for Secure Session Management
OWASP: Session Management Cheat Sheet
https://www.owasp.org/index.php/Category:OWASP_CLASP_Project
W3C: Mobile Web Application Best Practices
isc2.org: Application Development Best Practices
Model View Controller explained
IBM: DeveloperWorks: Reusable Code Libraries
O'Reilly: Reinvent the Wheel Often
IBM: Developerworks: Web Application Testing
Forbes: The Key To Great Web Software Is A Consistent, Intuitive User Experience
http://www.marketingtechblog.com/html5-user-experience/
https://wiki.appcelerator.org/display/guides/Supporting+Multiple+Platforms+in+a+Single+Codebase
Your posts is really helpful for me.Thanks for your wonderful post. I am very happy to read your post.very nice !!!
ReplyDeleteCCNA training in chennai | CCNA training chennai | CCNA course in chennai | CCNA course chennai