The increase in cyberattacks has shown us that, when it comes to developing quality software, secure coding skills are no longer optional. Application security (AppSec) is now a necessity to everyday developer workflows, from the way code is written to the steps you take to monitor that code. All of this has a major impact on the safety of your applications, your organization’s business goals, and working to create more innovative offerings for your customers.
In this two-part series, we’re bringing you secure coding best practices and practical tips that you can lean on when integrating security into development. Based on OWASP Top 10 Proactive Controls, this content provides an overview of each control with coding examples and actionable advice so that you can set out on the path to creating more secure software.
Tip 1: Verify for security early, and often.
It used to be standard practice for the security team to do security testing near the end of a project and then hand the results over to developers for remediation. But tackling a laundry list of fixes just before the application is scheduled to go to production isn’t acceptable these days. In fact, it dramatically increases the risk of a breach; the Verizon 2020 Data Breach Investigations Report (DBIR) found that web applications were the source of over 43 percent of breaches, which is more than double the amount in 2019.
In order to verify your security early and often, you need the tools and processes for manual and automated testing during coding – it must be iterative.
Security tips
Tip 2: Implement identity and authentication controls.
You can avoid security breaches by confirming user identity up front and building strong authentication controls into code and systems. These controls must extend beyond a basic username and password. You’ll want to include both session management and identity management controls to provide the highest level of protection.
Security tips
Tip 3: Parameterize queries.
SQL injection is one of the most dangerous application risks, partly because attackers can use automated attack tools to exploit these common vulnerabilities. In August of 2020, the company Freepik suffered a SQL injection attack in which emails and passwords for 8.3 million users were stolen. You can control this risk using query parameterization. This type of query specifies placeholders for parameters, so the database will always treat them as data, rather than as part of a SQL command. You can use prepared statements, and a growing number of frameworks, including Rails, Django, and Node.js, use object relational mappers to abstract communication with a database.
Security tips
Tip 4: Encode your data.
Encoding translates potentially dangerous special characters into an equivalent form that renders the threat ineffective. This technique is applicable for a variety of platforms and injection methods, including UNIX command encoding, Windows command encoding, and Cross-Site Scripting (XSS). Encoding addresses the three main classes of XSS: persistent, reflected, and DOM-based.
Security tips
Tip 5: Validate all inputs.
It's vitally important to ensure that all data is syntactically and semantically valid as it arrives and enters a system. As you approach the task, assume that all data and variables can’t be trusted, and provide security controls regardless of the source of that data. Ensure that inputs not only include the correct number of characters or digits, but that they have actual meaning and are valid for the interaction or transaction. Allowlisting is the recommended validation method wherever possible.
Security tips
Ready to test your skills?
Educational training tools that allow you to exploit and patch the flaws you face daily are critical to expanding your know-how and improving the security of your code. Veracode Security Labs offers the courses you need to create more secure applications, with real-world examples and hands-on-keyboard training that helps you apply new skills immediately. Even better: Security Labs Community Edition is a complimentary option for developers like you who are looking to gain authentic experience that you can use on the job.
Stay tuned for the second part of our series with more secure coding tips and best practices!