Tips for Secure Software Development
Privacy is one of our valuable goods and attackers around the world have started to take this sensitive information away. Research has shown that private data of more than 3 billion humans has been stolen within the last ten years.
The recent attack against the U.S. consumer credit score provider Equifax for instance discovered a massive volume of 2.4 million customers.
It’s our common responsibility to develop systems with security in mind. Functionality has been NR 1 priority for too many years. This time is gone now and we need to realize that application security is a must for all our internal and external applications. In this post I will share some hints about secure software development every developer, tester and designer should know.
Never trust user input – All user input should be considered ‘evil’ until validated otherwise
Use a layered approach to security testing to dramatically cut down on security issues before deployment
Use generic error messages like “Incorrect username or password” to keep brute force attacks at bay. Never tell the user what the wrong data was.
Consider breaking the build for medium and high-risk findings, and never ship with potentially dangerous vulnerabilities
Using third-party code? Either run security tests on the original code or insist on a security analysis report from the code supplier
Apply a hashing algorithm using salt to your user’s passwords before storing them in your database
Separate your application’s dynamic content from your static content
Test your code throughout the SDLC to save time and money in the long run
Implement two-factor authorization wherever possible and logical
Limit application permissions only to components required for the app to function properly.
Implement SSL or TLS and ensure HTTPS is used.
Iinvalidate user sessions upon logout or after a certain length of time
Protect user interface data and user credentials by storing them properly using encryption
Ensure your app meets all necessary regulatory and compliance requirements, especially for financial and health apps
Don’t allow third party keyboard use for iOS apps when sensitive content is entered
Involve the security team in your feedback loop, offering your feedback and requesting theirs on the current state of security in your builds
Teach the security team about how your team writes code, so they can better understand how and where security can be integrated
Establish a shared discipline of agile development between the develop, ops, and security – throughout the SDLC
Push smaller releases more often to lower the overall risk posture of the applications
Dive into the OWASP Top 10 and learn all you can about the 10 most dangerous vulnerabilities that should be prevented or fixed in code
Develop a work relationship with a member of the security team who you feel comfortable asking security questions and answering coding questions
Get involved in the threat modeling process to better understand the risks involved in application design and development
Learn how to use the security tools whether you get formal lessons or not – educating yourself in secure coding will take you further in your career!
Your path to a secure software development chain
Create your Security Requirements
Consider Secure Coding Practices
Secure Code Scan
Functional Security Tests
Application Scans, Penetration Tests
For any questions concerning secure software development please contact me.
Keep doing the good things!