Secure Coding for Beginners
Secure coding is the practice of writing code which is secure and protected from vulnerabilities. Insecure code is at risk of malicious attacks which can lead to dire consequences such as loss of service, loss of sensitive data, damage to the systems of thousands of users or worse.
The OWASP (Open Web Application Security Project) documents the Top 10 most critical security risks to web applications such as Injection, Cross-Site Scripting and Using Components with Known Vulnerabilities. Being aware of these security risks is an effective first step towards secure coding, along with the following best practices.
Secure coding should not be an afterthought
Thinking about security when planning an application can save a lot of time and trouble in the long run. An insecure web application may need extensive redesign for it to become secure if security is not built in from the start of its development.
Think about the motives of an attacker
Think about what you are building and put yourself in the mindset of a malicious cyber attacker. Think about the many hypothetical motives they may have for attacking an application — could they be looking to steal money or information, and maybe identities? Could they be motivated by corporate secrets or just the urge to demonstrate their hacking skills? Identifying the motives behind possible attacks can help to anticipate vulnerabilities which need to be addressed.
Don’t trust the user
Users are primarily why we build applications; however, we should be aware that they have the power to break and attack an application. Four of the OWASP’s Top 10 critical security risks come from trusting user input too much (Injection, XML External Entities, Cross-site Scripting, and Insecure Deserialization). A user can input malicious code which can result in an application running whatever code the attacker wants to execute, for example leading to the installation of an attacker’s malware. You can safeguard against a user through validation of any data they input into an application, making sure that only safe expected input is obtained and that any possibly unsafe input is rejected.
Cryptography, done well, is your friend
Cryptography processes help to protect data stored in web applications. If cryptography is done poorly attackers can figure out cryptography methods with ease and get to your data, however if it is done well it is an extremely strong step in protecting stored data. Make sure you adhere to cryptography best practices such as using known good algorithms and encrypting data at rest and in transit.
Understand that every web application is at risk
Attackers are constantly on the hunt for new vulnerabilities and writing code to exploit these. Invest time in understanding and protecting the vulnerabilities in your web application and stay alert.