In recent years we have seen several technological and software advancements. This has led to a new age made up of various asymmetric cyber attacks, fast paced and ever changing threat landscape. The ever increasing use of the internet as a business and social tool has seen the demand of applications and software to be developed at the speed of thought and time.
However, most of the applications or software being developed are vulnerable to all sorts of attacks and threats due to poor software security development procedures/culture applied by the programmers. This has proven costly for organisations world over. For example when poorly developed and insecure systems are put into production and are hacked (reputation and financial costs) or incurring extra costs due to project reworks (re-designing/programming the system).
Before we go any further, any developer should understand the tao of securing their end product i.e. The security, reliability, integrity and safety of any application must be built in from the early stages of the development lifecycle. Security seems to be an afterthought for most organisations (and hence the developers) mainly due to lack of secure software development policies and training for the developers. The driving force to attain a culture of effective secure development practices is hinged on educating those involved in the software development lifecycle.
Vulnerabilities in software that are introduced by mistake or poor security practices are a serious problem today. Here are some quotes expressing the level of concern:
“Our universities are letting us down.” In the vast majority of universities developers are taught that the highest-value principles for good software are functionality and performance; security, if taught at all, is characterised as an “optional” principle that runs a distant third in importance behind functionality and performance, or it is marginalised as applicable only in specialty software written for cryptosystems and network security protocols. Brian Cohen in Security in the software lifecycle
“However, delegates were told that much of the problem with online security lies with poorly written software.
“The real problem is that we’re putting software on the market that is as vulnerable as it was 20 years ago,” said Cristine Hoepers, general manager of the Brazilian National Computer Emergency Response Team.
“If you see the vulnerabilities that are being exploited today, they are still the same. Universities are not teaching students to think about that. We need to change the workforce. We need to go to the universities. We need to start educating our..” International Telecomm Union Conference 2009
“Secure Software Development requires a combination of knowledge, basic skills and practice so that defending applications through secure coding is done instinctively.” Microsoft SDL
The forgotten Principles:
The tao and basic philosophy of secure coding/programming practices focuses on easy, re-usable and repeatable coding techniques. These techniques are so basic and do not require developers to become security experts. Instead the approach focuses on using the right tools, standards, techniques and principles to guide developers to create secure applications that can be efficiently implemented, maintained and withstand security breaches.
Most developers lack the know-how of recognising and understanding the security implications of how they specify and design software, write code, integrate/assemble components, test, and package, distribute, and maintain software. In order for them to gain the knowledge they need to be trained and be equipped with the right skill, practices and techniques so that they do things more securely.
Security Training Basics for Developers:
The secure Software development training should target all staff involved in the development lifecycle. Senior staff members, business analysts, System Analysts/Administrators, Programmers, Testers etc… The training is independent of the language used. It does not matter if you are an old dog developer (Basic, VB6, LISP Cobol, C) or the new age kiddo (Java, .Net, Ajax, php….you name it all).
The training program should include at least the following topics:
- Security basics, understanding the problem (Integrating Security into SDLC);
- Fundamentals of Risk management/Software Assurance
- Threat modelling (designers, program managers, architects, testers, business analysts);
- Secure design/architecture principles (designers, program managers, architects, testers);
- Implementing threat mitigations (developers);
- Fuzz testing (testers);
- Security code reviews and Penetration testing (developers, testers);
- Cryptography basics (all personnel involved in software development);
- Defensive programming(the basics);
- Critiquing programs and documentation
- Technical and Functional Specifications (Security components)
- Authentication strategies(Trust boundary rules)
What wise developers watch for:
Developers should endeavour to make sure that all code is secure and that they are aware of the various secure coding practices to ensure that they minimise the risks associated with some of the following most common programming mistakes:
- Input Validation
- Improper Encoding or Escaping output
- SQL Injection
- OS Command Injection
- Clear text Transmission of Sensitive Information
- Race Condition
- Error Message Information Leak
- Memory Buffer Overflows
- Resource Shutdown or Release Risks
- Improper Initialisation
- Improper Access Control (Authorisation)
- Hard-Coded Password
- Code Comments
I have had my fair share of developing applications (shhhhhhh) with little or no security considerations…that’s back then, years ago, before I ventured into security) and now I see things differently…from a security perspective of course.
The responsibility is with both the organisations and developers to foster a culture of secure development practices. Organisations should provide the policies and resources whilst the developers should endeavour to learn and implement security techniques at all the stages of the development life cycle.
Finally, if the secure development standards and baselines are followed and implemented properly throughout the development stages they can help reduce the overall chances of developing and deploying unsecured systems/applications and thus protecting the organisations critical applications
 Defensive programming teaches developers how to look for hidden assumptions in their programs, and how to defend against attempts to exploit those assumptions to cause their programs to behave in unexpected or undesirable ways.