Six musts for building secure software
Developers are the first line of defense when it comes to cybersecurity. Our awareness and abilities to use secure programming practices can establish a software application’s foundation that is resilient to an attack by malicious actors.
There is no shortage of reports in the mainstream media on the frequency and impact of successful cyber attacks. We all know that they can have very expensive consequences on organizations large and small, so I won’t spend any time on that here.
The good news is that you can build secure software by following these essential practices that I learned from the training.
1 — Follow a secure code review process
Building secure software starts with a proven process that supports it. Three keys to an effective process are to a) leverage automated tests wherever possible; b) conduct static code reviews; c) scan for vulnerabilities in code and dependencies.
2 — Choose the right libraries and frameworks
Using libraries and frameworks in production applications that aren’t maintained and current leads to a cyber disaster. When selecting libraries or frameworks to use in your application, trust only those that are battle-tested and have strong ecosystems, community, and support. On sites like GitHub, you can easily see the repositories that do and do not meet these criteria.
3 — Shield your database
The last thing you want is someone with bad intentions to negatively affect your database. Four ways to prevent this from happening are to a) secure your database queries with parameterization; b) use a checklist likes the ones available on OWASP’s website to set up your DB config in a secure way; c) ensure your auth is protected with strong patterns and secret credentials; and d) use secure protocols like SSL to ensure no one can eavesdrop on communications.
Here’s some sample Ruby code from OWASP’s Query Parameterization Cheat Sheet that uses the ActiveRecord library to parameterize queries:
4 — Encode and escape to block Cross-Site Scripting Attacks (XSS)
Escaping rules are specific to the tech you’re working with. Four ways to ensure your code meets requirements to protect against XSS are a) never insert untrusted data into your database; b) don’t try to write your own escaping code and add the HttpOnly flag wherever you set cookies; c) set up a content security policy. For more on encoding and escaping, I recommend OWASP’s Cross-Site Scripting Prevention Cheat Sheet.
5 — Validate input
To avoid your application or users being compromised, it’s important to validate input not only on the client-side but on the server-side as well. Through code and testing, always ensure all data being passed to the database is semantically correct. Using syntactical checks can help with this too by only whitelisting values you know are valid.
6 — Protect your users
As software developers, it’s part of our professional responsibilities to do all that we can to protect the data and personal information of our users.
There are volumes on digital privacy law, but you don’t have to be a legal expert to do your part. Two ways to protect the privacy of your users at the code level is to only collect data from them that is absolutely necessary and if at all possible to pseudonymize that data upon collection.
For more on this important topic, I recommend checking out OWASP’s Top 10 Web Application Security Risks.
Thanks for reading these six musts to building secure software. I’d love to learn from you too. If you have other thoughts or insights related to this topic and are keen to share, please add them to the comments.