Secure Coding

Secure coding, also referred to as secure programming, involves writing code in a high-level language that follows strict principles, with the goal of preventing potential vulnerabilities which could expose data or cause harm within a targeted system. Secure coding is more than just writing, compiling, and releasing code into applications. To fully embrace secure programming, you also need to create a secure development environment built on a reliable and secure IT infrastructure using secure hardware, software, services, and providers

Secure Coding Practices

  • Validate input: input from all untrusted data sources should be Validated. Proper input validation can eliminate the majority of software vulnerabilities. External data sources, including command line arguments, network interfaces, environmental variables, and user-controlled files should be handled with caution

  • Heed compiler warnings: Code should be compiled with highest warning level available. Static and dynamic analysis tools should be used to detect and eliminate additional security flaws.

  • Architect and design for security policies: Create a software architecture and design your software to implement and enforce security policies. For example, if your system requires different privileges at different times, consider dividing the system into distinct intercommunicating subsystems, each with an appropriate privilege set.

  • Keep it simple: Keep the design as simple and small as possible. Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use. Also, the effort required to achieve an appropriate level of assurance increases dramatically as security mechanisms become more complex.

  • Default deny: Base access decisions on permission rather than exclusion. This means that, by default, access is denied, and the protection scheme identifies conditions under which access is permitted 

  • Adhere to the principle of least privilege: Every process should execute with the least set of privileges necessary to complete the job. Any elevated permission should only be accessed for the least amount of time required to complete the privileged task. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges.

  • Practice defense in depth: Manage risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit. 

  • Use effective quality assurance techniques: Good quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Fuzz testing, penetration testing, and source code audits should all be incorporated as part of an effective quality assurance program.

  • Adopt a secure coding standard: Develop and/or apply a secure coding standard for your target development language and platform.

Comments

Post a Comment

Popular posts from this blog

 Change Management System Reference Link According to the PMBOK Guide 6th edition, Change Control is focused on identifying, documenting and controlling changes to the project and the project baselines. In the change management system, you manage the changes related to the project scope, planning, and baselines. For example, you run out of money, and you need additional funding to complete the project, therefore, you will raise a change request for additional funds. Or you may not be able to complete your project within the specified time and require a time extension. In the change management system, the change request is analyzed for any possible impact on any other project objectives. Afterwards, the request is either approved or rejected. To minimize disruption, a change management system must ensure that all parameters are identified and analyzed for any possible impact. If the change request is approved, you will update the concerned baseline, update the project documents, and inf
Read more
Kevin Mitnick Kevin Mitnick is the world's authority on hacking, social engineering, and security awareness training. In fact, the world's most used computer-based end-user security awareness training suite bears his name. Kevin's keynote presentations are one part magic show, one part education, and all parts entertaining. His exposition on having a big catch with the right bait in fishing is interesting. He said, "all a hacker needs is a clever backstory and a little deceit to turn your employees into suckerfish". He uses live demonstrations to illustrate how cyber criminals take advantage of your employee’s trust through the art of social engineering. Remote employees are being caught in malicious social engineering nets. Knowing all-too-well that many companies aren’t taking proper security measures and that employees are distracted while working from home, bad actors posing as trusted sources are tricking your staff into clicking infected links and sharing pr
Read more
OVERVIEW OF PCI SSC DATA SECURITY STANDARDS Reference link In an effort to enhance payment card data security, the PCI Security Standards Council (SSC) provides comprehensive standards and supporting materials, which include specification frameworks, tools, measurements, and support resources to help organizations ensure the security of cardholder information at all times. The PCI DSS is the cornerstone of the council, as it provides the necessary framework for developing a complete payment card data security process that encompasses prevention, detection, and appropriate reaction to security incidents. Tools and Resources Available from PCI SSC: Self-Assessment Questionnaires to assist organizations in validating their PCI DSS compliance. PIN Transaction Security (PTS) requirements for device vendors and manufacturers and a list of approved PIN transaction devices. Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to help software vendors
Read more