Delivering Secure SoftwareIt is the author's personal and informed opinion that insecure software is not only impractical, but harmful as well. Developers have to use the best of their available skills and knowledge to deliver safe products. If they deem that they lack the necessary skills or training to achieve those basic goals, then they need to have access to training and support from industry experts. They should be fully enabled to prevent releases or undisclosed security flaws on remaining services. If they are aware that they are untrained (or under-trained) to fulfill this responsibility, they are essentially knowingly and consciously exposing the organisation to risk. But what constitutes an insecure software and how can developers acquire the necessary skills to be able to deliver it? Insecure software is that kind of software that primarily has both obvious and less obvious but feasible ways to be exploited. Given those exploitable ways, there are no alternative or separate ways to prevent malicious actors from performing either catastrophic damage, financial or sensitive information loss, or life-threatening events. Insecure software is really easy to churn out, so there is an even greater need for developers to understand to err on the side of caution. If you are a developer, here are some personal recommendations about ways you can cover the needs of secure coding fundamentals. And the best part of it is that you won’t lose much velocity when delivering new features to customers, even under deadline. Below is a list of personal recommendations for a basic secure coding environment:
- Using security audited frameworks: Using industry standard frameworks like Ruby On Rails can help you write secure software by design. This is because a lot of organizations use those frameworks. Therefore, a lot of hackers try to exploit them or find ways to break their defences, which leads to vulnerabilities being fixed as soon as they are discovered. Using an industry standard framework helps developers avoid catering to basic security mechanisms, as they are built-in. Naturally, every so often the framework does allow you to produce insecure code; for example, React dangerouslySetInnerHTML . But those instances are fairly documented and well-known.
- Using vetted crypto libraries: There is a known saying in software engineering: "Don’t roll your own crypto library". This is the most rational decision you should perpetually make as a developer. The real truth is that even for simple requirements, crypto is desperately hard to get right by default. If you roll your own crypto libraries, you always expose your software to risks. Fortunately, there are several good and safe crypto libraries available like libsodium or Bouncy Castle. Following this recommendation will prevent you from exposing your application to implementation flaws.
- Performing regular security reviews: Lastly, you will need to regularly perform external security reviews of your application. This is because those reviews will frequently expose unusual security flaws and considerations. As more and more vulnerabilities are exposed every day, there are more ways hackers can exploit them. Therefore having those reviews in place greatly reduces the chances of insecurity.
Small Wins vs. One-Off SuccessesIf you participated in secure-coding training sessions as part of compliance, you can understand how tedious they can be. In one instance in my experience, I had to read dated presentations about secure coding, all in one go, from cover to cover. The multiple-choice questions at the end of the session were written to trick you instead of challenging your knowledge. When I did finally finish this training I was glad I didn't ever have to do it again. This tick-the-box training is not only deceiving, but also dangerous. Can we do better? Yes – by conducting small, bitesize, interactive lessons instead of extensive tedious ones. That way, you make small wins and turn them into more substantial rewards. For example, instead of navigating through a long list of slides trying to understand XSS, you would be better off working with a framework of your choice like Django or Rails to resolve small challenges. Simultaneously, you’re learning the overall ways to defend against XSS vulnerabilities. That way, the learning experience is more appealing, engaging, relevant and fruitful.
Organizational Awareness and BeyondIn terms of a general security awareness within an organisation, there is also continuous training that needs to be done that concerns all personnel; not only the developers. This is because malicious actors can exploit things like social engineering and phishing emails to expose the organisation to risk. In such cases, it is appropriate to retain a collective effort using specialised bite-sized training to be delivered to personnel at frequent intervals. We repeatedly emphasize that this training needs to be regular and up-to-date, because bad actors continuously try new methods of attack.
ConclusionHow can we conclude such a brief article of secure coding training when there are so many things at stake? By following these tutorial recommendations, developers will get an essential idea of why we write secure software. In addition to the recommendations in this article, constant and regular training tools related to secure code guidelines are essential. Those change every day as hackers discover creative ways to exploit systems. To cover all those needs we recommend you see CxCodebashing with their complete solution of bite-sized training tutorials for secure coding. You can check out those materials on their website at Checkmarx.com.
Theo Despoudis is a Senior Software Engineer, a consultant and an experienced mentor. He has a keen interest in Open Source Architectures, Cloud Computing, best practices and functional programming. He occasionally blogs on several publishing platforms and enjoys creating projects from inspiration. Follow him on Twitter @nerdokto. He can be contacted via https://www.techway.io/.
To learn more about The Modern Approach to Developer AppSec Awareness and Training, The complete guide to secure coding education, by Checkmarx, you can download your copy here.