Best Ways to Have Secure Coding at Your Company

Secure coding is something we shoudn’t write articles about because in an ideal cyber world everybody would be thoroughly informed on the risks and threats unsafe code carries. But sadly, this is not the case. Just think about it: the average operating system contains more than 50 000 000 lines of code. That’s a lot of room for error and a lot of areas secure coding should be applied to. And we still haven’t taken into account the other programs a company uses and the code added to these by their own programmers. Below you can read about the main issues of secure coding and the best practices that everybody from management to HR and employees should be aware of.

Keeping it Simple

One of the most important principles of secure coding is to keep it simple as possible. The more complex is the design, the higher is the possibility of errors and flaws in the code. Complicated code requires complicated security mechanisms to protect it from intruders – not to talk about finding mistakes and flaws. Going through poorly written code is like reading a book filled with useless sentences. So capacitate your programmers to reuse program components that have already proved themselves trustworthy.

Basic Things

It may sound obvious, but make sure that password entry is obscured on your employee’s computers. Temporary passwords and links should have a short expiration time. Also, communicate to all your workers that they should never use the same passwords for different accounts. These things might sound trivial, but the devil never sleeps, and yes, password protection can help keep intact your organisation’s secure coding.

Input Validation

Any organization should require input validation from all outside sources. Your IT specialists should implement policies by which potential damage coming from the outside can be fended off or at least reduced. Offering help and cyber security assistance to your partners or other third parties associated with you can greatly reduce the risk of cyber casualties.

Default: Deny

Your IT specialists should not base access on exclusion – permission is much safer. But what does this mean exactly? To put it simple, lets quote the scientists of the field: the Carnegie Mellon Institute's Software Engineering Institute says that, by default, access is denied and the protection scheme identifies conditions under which access is permitted. Also, their blog mentions that "every process should run with the least set of privileges necessary to complete the job. Any elevated permission should only be accessed for the least amount of time required to complete the privileged task. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges."

Considering that, the main objective of secure coding helps programers and developers foresee these challenges and prepare for them in design.The principle of secure coding is supported by a variety of specific strategies. For example, one strategy is to "validate input" to make sure that input comes from trusted sources. Another strategy is to check for buffer overflow weakness. In a common sense, programmers look to create a secure user interface that restricts the number of backdoors and vulnerabilities that can induce cyber-attacks.As the cyber security community becomes more aware of common hacking tactics, security measures are being built into newer platforms and devices. As a result, many of the old vulnerabilities in PC OS environments have been corrected on newer smartphone interfaces. However, cyber-attackers are also focusing more and more towards mobile phones, so this is the new playground for secure coding and cyber security work.

Security Requirements

Make sure that each of your employees has a clear and thorough understanding of your cyber security protocols. Your programmers should not only function as code writers, but they must also assume the role of watchdogs, meaning they need to keep an eye out for unintended, but harmful actions of non-IT colleagues. To be able to this, you should send your programmers to well-designed and specialized trainings and courses.

Strengthening Software

It is not enough to have the best human resources for cyber security – secure coding also involves regular and conscious software maintenance. You shouldn’t wait for automatic upgrades – have your IT specialist look into third party software’s code to see if there are any security risks. And don’t be tight-fisted when it comes to network security: install all protection tools your IT specialist recommend to you. For important programs, it is suggested to perform a manual code review every time when changes are made in the code.

IT teams and even trainers organize matches between programmers so they can test their skills against each other. Learning how to attack and break the cyber security of other system helps programmers in secure coding due to the fact that by knowing which weakspots they would attack they can fortify these potential flaws. A good programmer and specialist of secure coding knows how to think with the head of a hacker. Maybe because he was one. TipAs it stands in the OWASP's (Open Web Application Security Project) Secure Coding Practices Quick Reference Guide it is recommended to isolate development environments and give access only to authorized programmers and test groups. Development environments are often configured less securely than production environments and attackers may use this to find shared weaknesses or a way to break in.

Critical Thinking

There is nothing wrong with asking from time to time a couple of independent experts or analysts to assess your company’s secure coding. Someone from the outside can be very helpful in detecting, calculating and fixing mistakes in the code written by your domestic programmers. Reassure your coders that this means no threat to them – they should consider this live training so they can do their jobs more confidently. After all, even the best software has had testers; big companies hire regiments of people just to find mistakes in their code.

Inner Inspection

If your organization has well trained and experienced programmers, they can take the role of independent experts mentioned above. Make sure they go to courses where they can learn howto assess their own work or test the coding of a fellow programmer. Perhaps they can implement automated tools for code analysis, which find flaws early in the development process. 11. No ReprehensionWhen building your cyber security and secure coding culture it is important not to blame your developers for their mistakes, because this can widen the chasm between leadership/HR and programmers. Use test results to help educate your employees: anonymously point out the most common mistakes, but treat these as relevant examples instead of errors. Remember, if your programmers feel they are being strictly monitored all the time, they won’t be able to do secure coding properly and your organization’s cyber security won’t improve.

Review Checklists

If you decide to do a manual code review, make sure all specialists are doing their work by the same checklist. Developers creating code are only human and can overlook secure coding practices, reviewers might forget to check certain things out – this can all be prevented with a well-built checklist. But what’s most important: don’t let your reviewers overwork themselves. Enforce mandatory breaks to ensure the reviewers are at their best, especially when working on high profile applications.

Why Are Secure Coding Reviews Useful?

According to Checkmarx, when it comes to choosing the tools for a secure coding review, the main question is whether you should use automated tools or human inspection. Which one is better? Well, the best approach is a mixed one, combining manual review with static code analysis tools. Here are the pros and cons of the two methods.

Automated Review

Pros

• Detects hundreds of vulnerabilities, including SQL injection and Cross-Site Scripting
• Tests quickly large chunks of code
• Ability to be scheduled and run on-demand
• An automated tool can be customized to your organization’s needs
• Can help raise secure coding awareness and educates software developers

Cons

• Tools that can’t be customized can produce inaccurate or invalid results
• Comes with a learning curve for those not familiar with these kind of tools
• Not every organization can afford professional automated tools

Manual Review

Pros

• Dives deep into the code to check for errors and flaws in the architecture most automated tools wouldn’t be able to detect· Security flaws like authentication, authorization and data validation can be better detected manually
• There’s always room for an extra set of eyes on high-value code
• Reviewing other people’s code can be a great way to share secure coding practies

Cons

• Requires an expert of both cyber security and secure coding which usually is expensive
• Different reviewers might come up with completely different reports, which can be confusing
• Testing code and writing reports is timely, and it is a chore most programmers try to avoid

No tool or human is perfect. Tools aren’t equipped with human minds, and therefore can’t find mistakes in the logic of code. But in many ways, manual and automated code reviews complement each other, each covering the areas where the other is weak. If your budget allows for both a tool and a reviewer, it is best to have both automated and manual methods when doing cyber security and secure coding checks.

Defense Practice

According to Robert C. Seacord, computer security specialist and writer companies should manage risk with multiple defensive strategies, so that if one layer of defense falls, another layer of defense takes its place and can prevent further intrusion or minimize the consequences of a cyber attack. For example, combining secure coding with secure runtime environments should reduce the possibility of vulnerabilities remaining in the code that can be exploited in the operational environment.

Education is Golden

Always think ahead when sending your programmers to secure coding training. Make sure they learn skills specific to their field. Try to keep these people at your company by all means because if they leave they not only strip you of their work but you also lose the benefits of their training in which your company has invested money. Provide your employees with personalized learning plans so you don’t have an excess or shortage in specialists working in different fields. Want to know what is more useful then correcting mistakes and fixing flaws in code? Well, not making mistakes to begin with, or at least to minimize them. You want your senior programmers to be one-man IT superpowers with up-to-date and specialized skillsets. And make sure these people are satisfied with their earnings: You don’t want an Edward Snowden emerging from your staff.

Comment by Author: I think the retention advice above works well and is plenty for this section. This part doesn’t work as well -- Edward Snowden was making $200,000 a year with Booz Allen, so it doesn’t ring true.

Handling Issues

You should include your non-IT personnel in your company’s cyber security. For secure coding, it is useful to create a bug bounty program meaning that everyone who finds a flaw in cyber security will receive a reward. You should also create a response team for secure coding emergencies and managing critical situations. That is why it is essential that your programmers have effective ways of communication with your staff: It can mean the difference between life and death if during a cyber attack an emergency message doesn’t get through fast enough.+1.

Secure FailureBruce Schneier said: "When an ATM fails, it shuts down; it doesn’t spew money out its slot."Accept that failure in the cyber world is inevitable and your programs will eventually crash. Stay ready and make sure that your IT specialists prepare your programs to fail in a manner that they don't give up sensitive data. According to Sarah Vonnegut, social media specialist at Checkmarx, if there is an error processing the login information, make sure your application doesn’t disclose any more information than a generic error. And always log failures for further analysis to understand what improvements can be made.In order to ensure your company's and customers' safety, your programmers must be able to do secure coding in a way that stands the test of cyber crime. This can only be accomplished with proper knowledge and commitment. The days where code testing for security flaws was left to the last minute or not done at all are gone. If you feel responsible about your organization, you should'n sweep this issue under the rug. So share this article, and write your comments about the secure coding protocols implemented at your company.