Tips for Secure Software Development
Privacy is one of our valuable goods and attackers around the world have started to take this sensitive information away. Research has shown that private data of more than 3 billion humans has been stolen within the last ten years.
The recent attack against the U.S. consumer credit score provider Equifax for instance discovered a massive volume of 2.4 million customers.
It’s our common responsibility to develop systems with security in mind. Functionality has been NR 1 priority for too many years. This time is gone now and we need to realize that application security is a must for all our internal and external applications. In this post I will share some hints about secure software development every developer, tester and designer should know.
- Never trust user input – All user input should be considered ‘evil’ until validated otherwise
- Use a layered approach to security testing to dramatically cut down on security issues before deployment
- Use generic error messages like “Incorrect username or password” to keep brute force attacks at bay. Never tell the user what the wrong data was.
- Consider breaking the build for medium and high-risk findings, and never ship with potentially dangerous vulnerabilities
- Using third-party code? Either run security tests on the original code or insist on a security analysis report from the code supplier
- Apply a hashing algorithm using salt to your user’s passwords before storing them in your database
- Separate your application’s dynamic content from your static content
- Test your code throughout the SDLC to save time and money in the long run
- Implement two-factor authorization wherever possible and logical
- Limit application permissions only to components required for the app to function properly.
- Implement SSL or TLS and ensure HTTPS is used.
- Iinvalidate user sessions upon logout or after a certain length of time
- Protect user interface data and user credentials by storing them properly using encryption
- Ensure your app meets all necessary regulatory and compliance requirements, especially for financial and health apps
- Don’t allow third party keyboard use for iOS apps when sensitive content is entered
- Involve the security team in your feedback loop, offering your feedback and requesting theirs on the current state of security in your builds
- Teach the security team about how your team writes code, so they can better understand how and where security can be integrated
- Establish a shared discipline of agile development between the develop, ops, and security – throughout the SDLC
- Push smaller releases more often to lower the overall risk posture of the applications
- Dive into the OWASP Top 10 and learn all you can about the 10 most dangerous vulnerabilities that should be prevented or fixed in code
- Develop a work relationship with a member of the security team who you feel comfortable asking security questions and answering coding questions
- Get involved in the threat modeling process to better understand the risks involved in application design and development
- Learn how to use the security tools whether you get formal lessons or not – educating yourself in secure coding will take you further in your career!
Your path to a secure software development chain
- Build Awareness
- Create your Security Requirements
- Consider Secure Coding Practices
- Secure Code Scan
- Functional Security Tests
- Application Scans, Penetration Tests
For any questions concerning secure software development please contact me.
Keep doing the good things!