Introduction
In a general perspective, building or developing an application (web or mobile) can be done quite easily with the help of automation tools and references as well as using someone’s code for the same plugin or module.
In the case of developers, developing a automation technique app and using someone’s code would make them save time and effort in developing the application. But the actual problem of a security threat to the application starts by following above said methods. Due to this kind of insecure coding practices, it is always possible for hackers and attackers to penetrate the application. Hence Secure coding practice is always an essential and vital part of the Software Development Life Cycle (SDLC).
Open Web application Project (OWASP) has suggested Secure coding practice checklist while developing an application software.
SDLC (Software Development Life cycle):
Secure Coding Practices Checklist for SDLC (Testing Phase)
- Conduct data validation on all parameters which are getting and processing user input (Eg: Search box, URL, Login and other fields)
- Identify all data sources and classify them into trusted and untrusted. Validate all data from untrusted sources (e.g., Databases, file streams, etc.)
- Encode data to a common character set for validation.
- Sanitize data in transit, from client to server and server to client.
- Sanitize dangerous inputs which are irrelevant to the software by using Application program interface plugins (API).
- Practice defense in depth. Managing risk with multiple defensive strategies.
- Validate expected data types, data range, and data length.
- There should be centralized input validation mechanism for the application to prevent attacks like cross-site scripting, SQL injection etc..,
- Develop and/or apply a secure coding standard for your target development language and platform.
- Use effective quality assurance techniques. Good quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Fuzz testing, penetration testing, and source code audits should all be incorporated as part of an effective quality assurance program.
- Require authentication in pages which are having higher priority and not exposed to the public.
- Authentication controls should be implemented on a single centralized server.
- If your application manages a credential store, it should ensure that only cryptographically strong one way salted hashes of passwords are stored that the table/file that stores the passwords and keys is writable only by the application. (Do not use the MD5 algorithm if it can be avoided)
- Enforce an effective session management mechanism using strong session generation algorithm if your application uses authentication controls.
Conclusion
The above checklist can be used as a reference for application development with secure coding practice which will help the developers to bridge the technical gaps in their coding practices in accordance with Information security. I can recommend product development company would be implement SSDLC-Secure SDLC as a process with support from us.
Author: Arul Selvar | Posted On: 9th November 2017 | Category: Article