The Startup
Published in

The Startup

man’s hand holding key
Photo by Shane Avery on Unsplash

Six musts for building secure software

As a software developer at Nucleus Security, I completed the Building Secure Software Series training provided by KnowBe4.

Developers are the first line of defense when it comes to cybersecurity. Our awareness and abilities to use secure programming practices can establish a software application’s foundation that is resilient to an attack by malicious actors.

There is no shortage of reports in the mainstream media on the frequency and impact of successful cyber attacks. We all know that they can have very expensive consequences on organizations large and small, so I won’t spend any time on that here.

The good news is that you can build secure software by following these essential practices that I learned from the training.

1 — Follow a secure code review process

Building secure software starts with a proven process that supports it. Three keys to an effective process are to a) leverage automated tests wherever possible; b) conduct static code reviews; c) scan for vulnerabilities in code and dependencies.

2 — Choose the right libraries and frameworks

Using libraries and frameworks in production applications that aren’t maintained and current leads to a cyber disaster. When selecting libraries or frameworks to use in your application, trust only those that are battle-tested and have strong ecosystems, community, and support. On sites like GitHub, you can easily see the repositories that do and do not meet these criteria.

the ruby on rails repository on github

3 — Shield your database

The last thing you want is someone with bad intentions to negatively affect your database. Four ways to prevent this from happening are to a) secure your database queries with parameterization; b) use a checklist likes the ones available on OWASP’s website to set up your DB config in a secure way; c) ensure your auth is protected with strong patterns and secret credentials; and d) use secure protocols like SSL to ensure no one can eavesdrop on communications.

Here’s some sample Ruby code from OWASP’s Query Parameterization Cheat Sheet that uses the ActiveRecord library to parameterize queries:

example ruby code using active record to parameterize queries

4 — Encode and escape to block Cross-Site Scripting Attacks (XSS)

Escaping rules are specific to the tech you’re working with. Four ways to ensure your code meets requirements to protect against XSS are a) never insert untrusted data into your database; b) don’t try to write your own escaping code and add the HttpOnly flag wherever you set cookies; c) set up a content security policy. For more on encoding and escaping, I recommend OWASP’s Cross-Site Scripting Prevention Cheat Sheet.

5 — Validate input

To avoid your application or users being compromised, it’s important to validate input not only on the client-side but on the server-side as well. Through code and testing, always ensure all data being passed to the database is semantically correct. Using syntactical checks can help with this too by only whitelisting values you know are valid.

6 — Protect your users

As software developers, it’s part of our professional responsibilities to do all that we can to protect the data and personal information of our users.

There are volumes on digital privacy law, but you don’t have to be a legal expert to do your part. Two ways to protect the privacy of your users at the code level is to only collect data from them that is absolutely necessary and if at all possible to pseudonymize that data upon collection.

For more on this important topic, I recommend checking out OWASP’s Top 10 Web Application Security Risks.

Thanks for reading these six musts to building secure software. I’d love to learn from you too. If you have other thoughts or insights related to this topic and are keen to share, please add them to the comments.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Dudley

Adam Dudley

20 Followers

Life’s too short for bad coffee! Business and marketing guy. I love science, tech, startups, and philosophy. I practice Mysore Style Ashtanga Yoga 6 days/week.