Software development security
Security, as part of the software development process, is an ongoing process involving people and practices, and ensures application confidentiality, integrity, and availability. Secure software is the result of security aware software development processes where security is built in and thus software is developed with security in mind.[1]
Security is most effective if planned and managed throughout every stage of software development life cycle (SDLC), especially in critical applications or those that process sensitive information.
The solution to software development security is more than just the technology.
Software development challenges
As technology advances, application environments become more complex and application development security becomes more challenging. Applications, systems, and networks are constantly under various security attacks such as malicious code or denial of service. Some of the challenges from the application development security point of view include Viruses, Trojan horses, Logic bombs, Worms, Agents, and Applets.[2]
Applications can contain security vulnerabilities that may be introduced by software engineers either intentionally or carelessly.
Software, environmental, and hardware controls are required although they cannot prevent problems created from poor programming practice. Using limit and sequence checks to validate users’ input will improve the quality of data. Even though programmers may follow best practices, an application can still fail due to unpredictable conditions and therefore should handle unexpected failures successfully by first logging all the information it can capture in preparation for auditing. As security increases, so does the relative cost and administrative overhead.
Applications are typically developed using high-level programming languages which in themselves can have security implications. The core activities essential to the software development process to produce secure applications and systems include: conceptual definition, functional requirements, control specification, design review, code review and walk-through, system test review, and maintenance and change management.
Building secure software is not only the responsibility of a software engineer but also the responsibility of the stakeholders which include: management, project managers, business analysts, quality assurance managers, technical architects, security specialists, application owners, and developers.
Basic principles
There are a number of basic guiding principles to software security. Stakeholders’ knowledge of these and how they may be implemented in software is vital to software security. These include:
- Protection from disclosure
- Protection from alteration
- Protection from destruction
- Who is making the request
- What rights and privileges does the requester have
- Ability to build historical evidence
- Management of configuration, sessions and errors/exceptions
Basic practices
The following lists some of the recommended web security practices that are more specific for software developers.
- Sanitize inputs at the client side and server side
- Encode request/response
- Use HTTPS for domain entries
- Use only current encryption and hashing algorithms
- Do not allow for directory listing
- Do not store sensitive data inside cookies
- Check the randomness of the session
- Set secure and HttpOnly flags in cookies
- Use TLS not SSL
- Set strong password policy
- Do not store sensitive information in a form’s hidden fields
- Verify file upload functionality
- Set secure response headers
- Make sure third party libraries are secured
- Hide web server information
Security testing
Common attributes of security testing include authentication, authorization, confidentiality, availability, integrity, non-repudiation, and resilience. Security testing is essential to ensure that the system prevents unauthorized users to access its resources and data. Some application data is sent over the internet which travels through a series of servers and network devices. This gives ample opportunities to unscrupulous hackers.
Summary
All secure systems implement security controls within the software, hardware, systems, and networks - each component or process has a layer of isolation to protect an organization's most valuable resource which is its data. There are various security controls that can be incorporated into an application's development process to ensure security and prevent unauthorized access.
References
- Securing Enterprise Web Applications at the Source: An Application Security Perspective, OWASP
- Stewart, James (2012). CISSP Certified Information Systems Security Professional Study Guide Sixth Edition. Canada: John Wiley & Sons, Inc. pp. 275–319. ISBN 978-1-118-31417-3.
- Stewart, James (2012). CISSP Certified Information Systems Security Professional Study Guide Sixth Edition. Canada: John Wiley & Sons, Inc. pp. 275–319. ISBN 978-1-118-31417-3.
- Report from Dagstuhl Seminar 12401Web Application Security Edited by Lieven Desmet, Martin Johns, Benjamin Livshits, and Andrei Sabelfeld, http://research.microsoft.com/en-us/um/people/livshits/papers%5Ctr%5Cdagrep_s12401.pdf
- Web Application Security Consortium, The 80/20 Rule for Web Application Security by Jeremiah Grossman 2005, http://www.webappsec.org/projects/articles/013105.shtml
- Wikipedia Web Application Security page, Web application security
- Web Security Wiki page, https://www.w3.org/Security/wiki/Main_Page
- Wikipedia Web Security Exploits page, Category:Web security exploits
- Open Web Application Security Project (OWASP), https://www.owasp.org/index.php/Main_Page
- Wikipedia Network Security page, Network security
- Open Web Application Security Project (OWASP) web site, https://www.owasp.org/images/8/83/Securing_Enterprise_Web_Applications_at_the_Source.pdf