The science (and certification) of writing secure code
The world runs on code. From online banking to electronic voting systems and from self-driving cars to medical devices, almost every aspect of modern life relies upon software for safety, efficiency and convenience. Millions of lines of code intersect with our lives on a daily basis.
The security of that code is paramount to protecting the confidentiality, integrity and availability of the information, systems and devices upon which we rely. Unfortunately, there is a world full of hackers and other threat actors who wish to deprive us of the secure use of that code and focus relentlessly on undermining software security.
For many years, application developers adopted a “get it done” mindset that focused on shipping code as quickly as possible to gain market share, capitalize on business opportunities and improve efficiency. This mindset often sacrificed security as a burdensome afterthought that simply got in the way of progress.
Times have changed, however, and after a series of high profile security incidents, developers now recognize the importance of building security into their code from the outset, designing software that can withstand the dangers of the modern cybersecurity threat landscape.
Following a Development Lifecycle
One of the most important actions that developers can take is adopting a software development lifecycle that guides software projects through the design, implementation and testing phases and incorporates security requirements in a manner appropriate to each stage.
Including security from the start yields a “baked-in” approach to security that results in solid code that can withstand the many tests that will be thrown at it. The alternative approach, “bolt-on” security, treats security requirements as an afterthought and results in ineffective and often inadequate security controls.
Developers sometimes resist the idea of a development lifecycle because it conjures images of rigorous, stiff and formal practices that bog down development and slow progress on initiatives. Fortunately, this doesn’t need to be the case.
Many organizations are now adopting agile approaches to software development that allow rapid iteration and offer the flexibility that both developers and customers crave. This is a perfectly acceptable approach that can result in very secure code development, as long as security requirements are considered in the early stages of design and built-in at each iteration of the software development process.
Performing Input Validation
While, there is no silver bullet for software security issues, input validation may be as close to a panacea as we’ll ever see. Whenever software developers create a mechanism that allows for any user input, they should treat that input as completely untrusted and test it thoroughly before allowing it to interact with other components.
While it may be natural to assume that users are benevolent, that simply isn’t always the case. Developers should clearly document the acceptable types of input that may come from a user interaction and then scrub the input they receive to verify that it matches one of those expected patterns.
For example, if a developer writes code that is expecting to see an integer between 0 and 10,000, user input should be scanned to ensure that it matches that pattern and is non-negative, below 10,000 and does not contain any non-numeric characters.
Performing input validation is a critical software development practice and protects code against many different types of attack. SQL injection attacks attempt to insert database instructions into user input in an attempt to pass them to the back-end database.
Application Security Testing
In addition to developing software securely, organizations should also routinely test the security of their code using a combination of automated assessment tools and manual penetration tests. These techniques ensure that code remains secure, even in the face of newly developed threats and newly discovered vulnerabilities.
Automated testing tools scan applications for potential flaws and provide developers with a roadmap for remediating any deficiencies. During penetration tests, trained security professionals use the same tools that an attacker would leverage during an actual attack. This type of testing can be expensive and time-consuming but it also provides the most realistic assessment of how software will behave when it comes under attack.
Certifications for Secure Software Development
Developers and security professionals seeking to bolster their secure software development skills may choose to pursue professional certifications in the field. The Certified Secure Software Lifecyle Professional (CSSLP) certification program from (ISC)2, provides experienced software security professionals with a means to demonstrate that they have a well-rounded knowledge of application security issues. Earning this credential requires five years of professional experience and passing a four-hour exam consisting of 175 multiple-choice questions.
Individuals focused on web application security may wish to pursue a more specialized certification, such as the GIAC Certified Web Application Defender (GWEB) certification available from the SANS Institute’s Global Information Assurance Certification program.
GWEB focuses specifically on web application security issues, including SQL injection, authentication, cross-site scripting and input validation. The GWEB credential does not include an experience requirement. Candidates seeking the certification must pass a three-hour exam containing 75 questions with a score of 68% or higher.
Software is truly increasing in importance to both the functioning of everyday life and the protection of sensitive information. As organizations continue to rely more and more upon software, the demand for developers skilled in creating secure code will continue to increase. Individuals pursuing a career in software development and/or information security should have a strong working knowledge of software security issues and may wish to demonstrate that knowledge by adding one or more application security certifications to their professional resumes.