Reading Time: 7 minutes

Coding vs secure coding:
6 rules to live by

secure coding

2020 resulted in the most severe healthcare industry data breaches to date. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. More than 28 million healthcare records were exposed, compromised, or impermissibly disclosed in those breaches.

Source: https://www.hipaajournal.com/largest-healthcare-data-breaches-in-2020/

Why Care About Secure Coding?

Security incidents can have severe consequences for both businesses and individuals, including denial of service to a single user, compromised secrets, loss of service, financial and property damages, market manipulation, and theft. Insecure code in the finance, healthcare, energy, and transport industries can even cause physical harm and fatalities. For software companies, client trust is very important. Losing that trust through a breach especially impacts these firms’ bottom lines.

All companies are vulnerable. Even major organizations with vast resources and knowledge at their disposal have experienced serious data breaches.

There are a number of well-known security vulnerabilities such as Buffer Overflow and Code Injection Flaw. Click here to learn more about the most common security vulnerabilities.

What is Secure Coding?

The good news is that many attacks can be prevented by writing more secure source code.

Secure coding involves writing code in a high-level language that follows strict principles. Its goal is to thwart vulnerabilities that could expose data or cause harm. When developing your firm’s secure programming strategy, simplicity is key. Following industry and secure coding standards will go a long way in reducing your overall vulnerability (including the number of entry points). In addition, complex procedures often lead to lackluster results or IT teams ignoring them completely.  Therefore, you should avoid reinventing the wheel and adhere to proven security and secure coding best practices.

6 Secure Coding Rules To Live By

1. Minify and obfuscate code

Making your code more difficult to access and read deters hackers. A popular standard with JavaScript is to minify code. Minification removes white space and line breaks from your code, making exposed code much harder to read. Minification also has the added benefit of improving performance by decreasing the footprint of code files.

Obfuscation is another effective technique. This practice turns human-readable code into text that is difficult to understand.

2. Avoid shortcuts

As your code base grows larger and there is rising pressure to finalize working code quickly, it can be tempting to rely on shortcuts in code production. However, these “timesaver” methods can have serious security ramifications. For example, attacks often occur when hardcoded credentials and security tokens are left as comments.

3. Implement automated scanning, code reviews, and threat monitoring

Regular secure code reviews and automated tools which scan your code for XSS and SQL injection attacks help prevent attacks.

You should also be actively building threat models and planning to manage potential risks and remediate them. There are a number of available sources to help with this, such as OWASP and Have I Been Pwned.

4. Avoid components with known vulnerabilities

Do not use any components with known vulnerabilities, even when these components make your developers’ jobs easier. For example, open-source components and libraries can act as shortcuts for IT professionals. However, they also act as a common entry point for hackers.

5. Audit & log

Software with logging and monitoring allows you to catch potential breaches when your code is deployed.

6. Integrate secure coding principles into SDLC components

Your team should create and monitor applications at every stage—from the initial stage of gathering requirements for a new application (or adding features and functionality to an existing app) to development, testing, deployment, and maintenance.

At this earliest “gathering” stage, your project stakeholders should already begin reviewing requirements and flagging potential security risks, especially those related to source code. Using automated tools as part of your SSDLC or other secure coding initiatives can save you time and effort. Static application security testing (SAST) is one example, and it can be implemented very early on in the development cycle.

Make sure to provide a general description of how the secure coding principles are addressed in Architecture and Design documents. We recommend using OWASP Secure Coding Guidelines as a base for these protocols. Here are some of the most common secure coding principles:

  • Access control, which includes authentication and authorization
  • Enforcing strong encryption. There are many readily available libraries to help you implement encryption, thus requiring minimal custom code be written. It is, however, important to only use standard algorithms and libraries.
  • Whenever FIPS compliance is required, only validated libraries are used.
  • Secrets management. There are many available tools to help you manage secrets. However, never hardcode or upload secrets such as passwords or access keys to code repositories.

How to Implement

Once you’ve nailed the basics, you can take some additional steps to further secure your code.

Secure coding is not just writing, compiling, and releasing code. To grasp secure programming in its entirety, you also need a secure development environment built on a dependable and protected IT infrastructure using secure hardware, software, and services and providers.

Training

Building a culture of security within your organization is crucial. The most important part of building this culture is robust training. Training should focus on the vital secure coding principles described above. Developers, IT, organizational management, as well as internal and external stakeholders should be included in this education. It’s important not to just educate your staff on definitions, but also to allow them to practice in real-world coding simulations.

How can you start training your staff? Avatao’s hands-on exercises will teach your developers how to avoid the most common coding vulnerabilities exploited by hackers, through practical, real-life examples.

Related Articles

5 Key Challenges When Building a Security Training Program

5 Key Challenges When Building a Security Training Program

Reading Time: 7 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).

Getting started with Kotlin

Getting started with Kotlin

Reading Time: 9 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?