Secure Coding Presentation
Secure Coding Presentation
Focus: Methods/Tools:
- Authentication and Authorization - Static Analysis
- Data Validation - Dynamic Analysis
- Error Handling - Penetration Testing
- Session Management - Code Review Checklists
- Security Configuration - Manual Code Reviews
- Logging
- Encryption
Secure Code Review
Why do it?
- Planning
- Review Preparation
- Review Execution
- Issue Identification
- Issue Remediation
- Verification
- Documentation
MITRE
What is MITRE?
- Founded in 1958, MITRE is a non-profit company meant to serve as objective advisers in systems engineering to government
agencies, both military and civilian. Since 2014, MITRE has operated the nation’s first and only FFRDC dedicated to cybersecurity
and the advancement of secure technologies. MITRE has published a wealth of standards and knowledge relating to information
security, and is well respected within the industry.
What is CVE?
- Common vulnerabilities and exposures (CVE) is a database of specific instances of vulnerabilities identified within a specific product
or system.
What is CWE?
- Common Weakness Enumeration (CWE) is a community developed, categorized list of software and hardware vulnerabilities that
have been identified as the cause of flaws in systems and listed in a CVE. An encyclopedia of community recognized vulnerabilities.
Can be used as a secure coding standard.
MITRE Frameworks:
- These knowledge bases create the foundation for the development of system specific threat models and methodologies.
- ATT&CK, D3FEND, Engage, Caldera
IBM SPbD@IBM
What is IBM?
- Founded in 1911, International Business machines (IBM) is a global technology company that offers a
wide range of computer based products, services, and solutions.
What is SPbD@IBM?
- IBM Security and Privacy by Design (IBM SPbD@IBM) is a streamlined and agile set of focused
security and privacy practices which reinforces embedding security and privacy into the design of
products and services. SPbD@IBM is aligned with the United States National Institute of Standards
and Technology (NIST’s) Secure Software Development Framework (SSDF).
SEI CERT Top 10 Practices
What is it?
- A list of secure coding practices developed by the Software Engineering Institute (SEI).
- It provides a set of guidelines and recommendations to help developers write secure code
and prevent vulnerabilities.
Example: When processing user input from sources like command line arguments, always
verify the data’s integrity and format. This prevents common security risks such a
injection attacks.
SEI CERT Practice 2
Heed Compiler Warnings:
- Compile code using the highest warning level available for your compiler and
eliminate warnings by modifying the code.
- Use static and dynamic analysis tool to detect and eliminate additional security flaws.
For example: You’re coding and compiling with GCC. The compiler warns about
uninitialized variables in a function. You can fix this by initializing the variables properly.
Additionally, you can use a static analysis tool to detect memory leaks, which you can
then fix by deallocating memory correctly. By heeding these warnings and using analysis
tools, you can improve code reliability and security.
SEI CERT Practice 3
Architect and Design for Security Policies:
- Create software architecture and design your software to implement and enforce
security policies.
For example: If your system requires different privileges at different times, consider
dividing the system into distinct intercommunicating subsystems, each with a appropriate
privilege set.
SEI CERT Practice 4
Keep It Simple:
- Keep the design as simple and small as possible.
- Complex designs increase the likelihood that errors will be made in their
implementation, configuration, and use.
For example: Instead of creating a complex system with more coupling, a simple design
might involve breaking down this system into smaller, more manageable modules with
clear interfaces. This simplification can make it easier to understand, maintain, and
reducing the risk of vulnerabilities.
SEI CERT Practice 5
Default Deny:
- Base access decisions on permission rather than exclusion. This means that, access is
denied and the protection scheme identifies conditions under which access is
permitted.
For example: In a file system, focus on who can access files instead of who can’t. Only let
users in the “admin” group modify configuration files. This way you can reduce the risk of
unauthorized access.
SEI CERT Practice 6
Adhere to the principle of least privilege:
- Every process should execute with the least set of privileges necessary to complete
the job.
- Any elevated permission should only be accessed for the least amount of time
required to complete the privileged task. This approach reduced the opportunities an
attack has to execute arbitrary code with elevated privileges.
For example: A web server might only need read access to files. Elevate permission
temporarily for specific tasks like accessing sensitive data can limit the chance of
attackers exploiting them.
SEI CERT Practice 7
Sanitize Data Sent to Other Systems:
- Sanitize all data passed to complex subsystems such as command shells, relational
databases, and commercial off-the-shelf (COTS) components. Attackers may be able
to invoke unused functionality in these components through the use of SQL,
command, or other injection attacks.
- This is not an input validation problem because the complex subsystem being
invoked does not understand the context in which the call is made. Because the
calling process understands the context, it is responsible for sanitizing the data before
invoking the subsystem.
SEI CERT Practice 8
Practice Defense in Depth:
- Manage risk with multiple defensive strategies, so that if one layer of defense turns
out to be inadequate, another layer of defense can prevent a security flaw from being
an exploitable vulnerability and/or limit the consequences of a successful exploit.
Example: In web application development project, incorporating fuzz testing, penetration, and
source audits help identify and fix vulnerabilities. Bringing in external security experts for
independent views add an extra layer of assurance, ensuing a more secure final product.
SEI CERT Practice 10
Adopt a Secure Coding Standard:
- Develop or apply a secure coding standard for your target development language and
platform.
Example: In a C++ software project, you could adopt the SEI CERT C++ Coding
Standard. This standard provides specific guidelines and the best practices for writing
secure C++ code, covering areas such as memory management, pointer usage, and
exception handling. By using this standard, developers can minimize the risk of common
vulnerabilities like overflows and memory leaks.
MITRE CWE
What is it?
- MITRE CWE, stands for Common Weakness Enumeration.
- It is a community developed list of software and hardware weaknesses.
Purpose:
- The primary purpose of MITRE CWE is to provide a standardized catalog of
vulnerabilities, enabling organizations to better understand, identify, and address
security weaknesses in software systems.
MITRE CWE
Development
- MITRE CWE is developed and maintained by MITRE Corporation in collaboration
with the global cybersecurity community.
/users/cwe/profiles/../../../etc/passwd
When the file is opened, the operating system resolves the "../" and actually accesses this file:
/etc/paswd
9) Cross-Site Request Forgery (CSRF)
- What is it?
- This is when the application can’t, or doesn’t, sufficiently verify whether a request was intentionally
provided by the user.
- What causes it?
- Bad practice in the Architecture and Design phase.
- Why is it a problem?
- “Web browsers are trusting creatures. If you give them some code, the will run it.” - Tim Scott
- Social engineering can be used to trick people into furthering the forgery through emails, etc.
- Prevention steps
- You can use a CSRF Token.
10) Unrestricted Upload of File with Dangerous Type
- What is it?
- This is when product allows the attacker to upload files of dangerous types
- What causes It?
- This occurs during the architecture and design phase
- Crucial security tactics are overlooked.
- Why is it a problem?
- Arbitrary code execution can take place. Especially for PHP files which does not restrict file types.
- Prevention steps
- Create new file names so no external input is used.
- A good strategy is also enforcement by conversion
11) Missing Authorization
- What is it?
- This is when a product does not perform authorization whenever an actor attempts to access resources.
- What causes it?
- Overlooked security methods in the architecture and design phase
- Developers may introduce weaknesses in the implementation phase due to a lack of knowledge.
- Why is it a problem?
- An attacker could both read from and write to sensitive data as well as gain certain privileges.
- Prevention steps
- Use libraries/frameworks that do not allow this weakness lik JAAS and OWASP ESAPI’s Access
Control feature
12) Null Pointer Dereference
- What is it?
- This occurs when an application dereferences a pointer that it expects to be valid but is NULL.
- What causes it?
- Race Conditions
- Simple Omissions
- Why is it a problem?
- It results in the failure of the process even if error handling is available, it can cause issues.
- Prevention steps
- You should sanity-check pointers before use
13) Improper Authorization
- What is it?
- This occurs when an actor claims to have a given identity and the product does not sufficiently validate
that claim
- What causes it?
- Improper implementation of an architectural security tactics.
- Why is it a problem?
- This vulnerability can lead to the exposure of sensitive data as well as the inner workings of some
systems to attackers.
- Prevention steps
- You should use libraries/frameworks like OWASP ESAPI’s Authorization feature
14) Integer Overflow or Wraparound
- What is it?
- This is when a product performs a calculation that can produce an integer overflow.
- What causes it?
- An integer is too large to be stored in it’s associated representation
- Ex: 8-bit integer addition of 127 + 1 results in −128, a two's complement of 128
- Why is it a problem?
- It can lead to data corruption, buffer overflows, incorrect calculations, etc.
- Prevention steps
- If possible, you should use a language that allows bounds checking.
- You can also use integer handling packages like SafeInt for C++ or IntegerLib for C.
15) Deserialization of Untrusted Data
- What is it?
- The product deserializes untrusted data without verifying its validity.
- What causes it?
- This occurs in the Architecture and Design phase as well as the Implementation phase.
- Things like improper error handling or no input validation exacerbate this issue.
- Why is it a problem?
- Attackers can modify data/objects
- Prevention steps
- You can use signing and sealing features to assure data has not been touched.
- Hash-based message Authentication Codes
16) Command Injections
- What is it?
- Similar to OS Injections but for web applications.
- What causes it?
- This is caused by attackers manipulating input in order to inject additional commands.
- Why is it a problem?
- This could lead to arbitrary command/code execution.
- Prevention steps
- Perform input validation under the assumption that all input is malicious.
- Where possible, use library calls to recreate desired functionality.
17) IROBMB
Improper Restriction of Operations within the Bounds of a Memory Buffer
- What is it?
- This is when the product performs operations on a memory buffer while being able to read from and write
to a memory location outside of the buffer.
- What causes it?
- Some languages allow direct accessing of memory locations and don’t ensure that they are valid for the
memory being referenced.
- Why is it a problem?
- If memory is accessible to an attacker, it can lead to arbitrary code execution, as well as relevant memory
being corrupted.
- Prevention steps
- When possible, use a language that does its own memory management.
18) Use of Hard Coded Credentials
- What is it?
- This is when the product contains credentials such as passwords or cryptographic keys.
- What causes it?
- The use of hard coding credentials
- Why is it a problem?
- It is almost guaranteed that attackers will be able to access account information and other sensitive
data.
- Prevention steps
- Store passwords outside of the code
- If it must contain hard coded credentials, perform strict access controls to limit the entities that can
access the feature.
19) Server-side Request Forgery
- What is it?
- This is when a web server receives a URL from upstream, the web server then also receives the
contents without sufficiently validating that the request is being sent to the correct destination
- What causes it?
- Improper input validation
- Insufficient access control
- Why is it a problem?
- Sensitive data and internal resources can unintentionally be made available to bad actors.
- Prevention steps
- Network segmentation could be a successful approach to prevention. By isolating internal systems
through the use of firewalls access will be more often denied to attackers.
20) Missing Authorization for Critical Functions
- What is it?
- This is when a product doesn’t perform authorization for functionalities that require a provable user
identity.
- What causes it?
- Missing security tactics in the Architecture and Design phase.
- Why is it a problem?
- This can expose critical functionality and essentially gives the attacker the same functionality.
- Prevention steps
- Divide the software into increasingly secure privilege areas.
- For any security checks on server-side, perform those same checks on the client side.
- Use libraries/frameworks to mitigate the likelihood of this occurring.
21) Race Conditions
- What is it?
- This is when a product contains code that runs simultaneously with other code.
- What causes it?
- Two or more segments of code are running concurrently, they both require exclusive access to some
resource, but a window of time exists where the resource is shared, and thus modified by both code
segments.
- Why is it a problem?
- Race conditions can lead products/programs into an unexpected, unrecoverable state, which in turn
could cause a crash.
- Prevention steps
- Minimization of the sharing of resources
- When possible, use synchronization primitives. These essentially aid in threading the kernel.
22) Improper Privilege Management
- What is it?
- This is when the product does not adequately assign or modify privileges for users.
- What causes it?
- This error is introduced through poor implementation of architecture and security tactics.
- Why is it a problem?
- This vulnerability can lead to attackers gaining privileges that are not intended.
- Prevention steps
- Follow the Principle of Least Privilege.
- Carefully manage the setting and modifications of privileges.
23) Code Injection
- What is it?
- This is when the product contains externally influenced code but is not able to neutralize its effects downstream.
- What causes it?
- This vulnerability is caused by lacking implementation of security tactics.
- Why is it a problem?
- Injectable code could lead to a remote vulnerability.
- Attackers could access sensitive resources.
- Almost all data immediately loses integrity when this vulnerability is exploited.
- Prevention steps
- Run the code in a “sandbox” environment that supports strict boundaries between the code and internal
resources.
- Use static analysis and testing tools in the testing phase of software development.
- Use dynamic tools to carry out fuzz testing, robustness testing, and fault injection.
24) Incorrect Authorization
- What is it?
- This is when the product incorrectly performs an authorization check and in turn, allows the attacker to
get around access restrictions.
- What causes it?
- This can occur when a single-user environment is ported to a multi-user environment.
- This can also occur as a result of a developer introducing weaknesses in the implementation phase.
- Why is it a problem?
- An attacker could both read and modify sensitive data and information.
- Attackers could gain privileges not meant for them.
- Prevention steps
- Modularity: Divide the product into increasing levels of security.
- Use a library/framework that supports authorization control such as OWASP ESAPI or JAAS.
25) Incorrect Default Permissions
- What is it?
- This is when by default, file permissions are set to allow anyone to access and modify the files.
- What causes it?
- This vulnerability can be introduced in nearly every phase of the development process.
- Why is it a problem?
- People who are not meant to be able to read from, write to, or access data, can now do so.
- Prevention steps
- Modularize the system and create “safe areas” with hard set lines and boundaries and do not allow
sensitive data to go outside of those boundaries.
Seven Pernicious Kingdoms
The seven pernicious kingdoms is an abstract collection of software vulnerabilities that
share a common theme or feature.
The kingdom part of the name comes from the biological definition for a kingdom, that is,
“A collection of phyla that share a common factor.”
The list itself is not set in stone by design. This allows for the addition or removal of new
“phyla” or the modification of kingdoms over time.
How is it Used in Secure Coding Practices?
The Seven Pernicious Kingdoms are used in secure coding practices as a kind of
cautionary tale. They are there for review and you should reference them to ensure you are
not potentially adding any of these errors or mis-practices into the project that you are
working on. It also serves as a way to modularize many of these errors and group them
into their own categories.
The Seven Pernicious Kingdoms Taxonomy
1) Input Validation and Representation
2) API Abuse
3) Security Features
4) Time and State
5) Errors
6) Code Quality
7) Encapsulation
Input Validation and Representation
Many of the issues caused in this category stem from metacharacters, alternate encodings,
and numeric representations.
By properly validating input and ensuring that data is represented properly, many of the
issues faced in this kingdom can be largely mitigated.
API Abuse
API is the acronym for Application Programming Interface.
API Abuse is the practice of exploiting vulnerabilities inside of the said APIs.
An example could be something like using an API for data scraping or intentionally
causing buffer overflows.
Combatting API Abuse requires both preventative measures as well as sound response
strategies.
Some common approaches to this are implementing strong authorization mechanisms and
enforcing rate limiting.
Security Features
Security Features are concerned with topics like authentication, access control,
cryptography and privilege management.
A major point among all the subpoints of Security Features is the focus on controlling who
has access to what and ensuring that the entity accessing it is trustworthy.
Things like Hard-Coded Passwords and weak cryptography appear in this kingdom.
Time and State
“Most programmers anthropomorphize their work. They think about one thread of control
carrying out the entire program in the same way they would if they had to do the job
themselves.” - Tsipenyuk, Chess, McGraw
- Time related vulnerabilities encompass the area concerning timestamps, timeouts, or
time related operations.
- State related vulnerabilities encompass the area concerning the management of state
changes.
Errors
While it seems like a broad topic, there are two main ways to introduce an error related
vulnerability.
Code quality is critically important as it is not restricted to its own kingdom. Poor code quality
leads to increased risks of attack in every other kingdom as well.
Encapsulation
While it is a main principle of software engineering, it has a great influence of software
security as well.
With respect to the 7 kingdoms, encapsulation refers to the containment of sensitive data
within the software components to restrict access to it by outside influences.
Some aspects of encapsulation are information hiding, access control, and modularity.
OWASP recognizes that the document is “A first step towards more secure coding
practices.”
Roles and Purposes Continued
It also accomplishes a few of the following roles, but is also not limited to these:
1) Guidance - The OWASP Top 10 helps to guide developers as they work on and with a
project.
2) Education - This document helps to make risks and vulnerabilities more widely
known, this helps to bring faulty practices into the spotlight and hopefully inspire
better, more secure coding practices.
3) Quality Assurance - This document could be used as a benchmark when testing code.
If it complies with the OWASP guidelines, there’s a good chance it is more secure
code than would have been created without referencing it.
Sources
● https://www.checkpoint.com/cyber-hub/cloud-security/what-is-secure-coding/
● https://johnbandler.medium.com/bandlers-four-pillars-of-cybersecurity-6d0761f04f82
● https://csrc.nist.gov/glossary/term/software_assurance
● https://owasp.org/www-project-samm/
● https://www.checkpoint.com/cyber-hub/cloud-security/what-is-secure-sdlc/
● https://www.microsoft.com/en-us/securityengineering/sdl/practices
● https://www.appknox.com/cyber-security-jargons/secure-coding
● https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html
● https://owasp.org/www-community/attacks/
● https://cheatsheetseries.owasp.org/cheatsheets/
● https://cwe.mitre.org/documents/sources/SevenPerniciousKingdoms.pdf
● https://eva.fing.edu.uy/mod/page/view.php?id=77012
● https://cwe.mitre.org/
● https://www.sei.cmu.edu/our-work/secure-development/
● https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard
● https://www.sei.cmu.edu/about/index.cfm
● https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682
● https://ldra.com/sei-cert/
● https://www.threatintelligence.com/blog/secure-code-reviews
● https://www.ibm.com/support/pages/ibm-security-and-privacy-design