Foundations of Writing Secure Code

Foundations of Writing Secure Code

As a Software Engineer, we are expected to write code that is efficient, scalable, maintainable, and secure too. Security is a very important aspect of writing code that is often neglected. According to a report by Inc, companies lose 400 Billion Dollars to Hackers each year due to Cyberattacks.

 

A large portion of these Cyberattacks is due to loopholes in the code that occur in the absence of a process for security scanning of the code. Due to this, it’s necessary that companies in general and software engineers, in particular, enforce strict code review practices involving scanning the code for any security-related vulnerabilities written by developers or engineers. 

 

Below, we will be outlining some of the best practices that need to be followed to make your code more secure:


1. Always Check Any Data Sent by Users

Whenever you are writing some backend code, especially APIs, it’s normal to send data from the frontend to the backend. Normally, it’s in the body of the API call. Now, on your side, you always need to check the data that has been sent by the user. Usually, in every framework, we do have validators or validation classes that can be used to validate data sent by the users. 

 

You can check the length of the data, datatype, format (by regex or any library), and many other things that can be found in the docs of that particular framework.

Some frameworks also have custom serializers for every data type like DateSerializers, EmailSerializers, etc., that automatically handle all the errors related to any malformed data sent to them.

 

 

2. Use Tools and Libraries to Scan Your Code 

There are various tools for source code scanning in code. These tools can be integrated into your workflow and can help you a lot in identifying the weaknesses in your logic overall and other loopholes in your code. 

 

These tools are used to analyze the actual source code or to find flaws related to security in your compiled code. Most of these tools can be integrated into your coding pipeline or into your IDE. These tools are quite helpful because you can identify the problems while being in the development phase and fix the issues right away. 

 

Some notable tools are .NET Security Guard, Agnitio, Bandit, CodeSec, Coverity for source code analysis. Alongside that, you can also use some tools for API testing like 42Crunch, APISecurity.io, VSCode OpenAPI, BurpSuite, and others.

 

Alongside that, writing tests for your code can also help you a lot in avoiding the unwanted behavior in your code. So, you should always follow best practices for that and write tests for your code.

 

 

3. Cross-Site Scripting(XSS)

Cross-Site Scripting is one of some common ways used by hackers to get access to your code and execute some scripts. It mostly occurs in client-side scripting languages like JavaScript, due to flaws and weaknesses in the logic and not checking the user input before performing any action based on that.

 

In a Cross-Site Scripting attack, hackers are able to force vulnerable code in web applications into performing malicious or unwanted actions. Results of XSS attacks can be viruses, credentials, and data theft, and maybe unwanted access to a user’s browser.

 

Example of XSS:

 

 

Suppose you have the above code in your web application somewhere. What this code does is that it simply runs any script or anything that you have passed to the input field with query-input id.

 

Now if you put an image tag in the input tag like that:

 

 

It will run the onerror method and log the complete cookie that may contain the session id, auth token, and other credentials. Once a hacker has access to these credentials, they can use it to do subsequent API calls to the server.

 

Tips for Writing Secure Code:

  1. Always try to use strict mode in weakly typed languages like JavaScript. It prevents or throws errors if any ‘unsafe’ actions are taken.
  2. If you are getting some data or files from the user, always make sure to validate it by length, filetype. Never execute anything directly. 
  3. Use appropriate headers in the response that make sure to only allow data that is desired. For example, You can use ‘Content-Type’ and ‘X-Content-Type-Options’ for this purpose.
  4. If you enforce the rules of Content Security Policy (CSP), then you can limit your code to run inline scripts and functions that hackers can execute to halt the expected behavior of your code.

 

Conclusion

To write secure code, you need to follow some best practices and also use the right toolset for that. Manually identifying loopholes can be tedious. If you integrate the right tools into your software development pipeline it can help you a lot in securing your code.

Shimi Eshkenazi

Shimi Eshkenazi / About Author

Shimi is a Product Manager at WhiteSource. Shimi has spent more than a decade on software development in a variety of organizations and gathered experience in the application security world for more than 6 years.

Shimi had lectured in conferences like OWASP-EU & SecTor, published security researches, and participated in the writing of patents regarding innovation in this field, some of them are already granted. Shimi is currently working at WhiteSource leading a cutting-edge technology offering for open source security.

LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *