If you’re here, you want to know how you can make your code safer and more secure. That’s certainly commendable, especially considering that 92% of web applications contain visible security flaws or weaknesses that can be exploited, according to the 2019 RSA Conference.
Secure coding doesn’t necessarily mean building a labyrinth of complex layered code, in many cases, it is the opposite. It is mainly adhering to secure coding practices, while also keeping your code fairly simple. The more complex your code becomes, the more difficult it becomes to make secure. In this article, we’re going to give you 7 simple tips to follow for secure coding practices. If you’d like more in-depth training, specifically for Java, take a look at this course: Secure Coding for Java.
Focus On Simple Design
Complex code design is likely to increase errors, which in turn decreases the safety of your security mechanisms. By keeping your design simple and small, it minimizes the amount of effort required to have a strong security assurance. Always remember the larger your code becomes, the more time is spent debugging, compiling, and finding flaws. Keep it simple.
Deny By Default
Access should be based on explicit permission, rather than exclusion. If you deny access by default, you are able to control the conditions under which access is permissible. This goes hand in hand with the next tip. As a simple example, instead of trying to block known “bad” characters, try accepting only the characters you would normally expect.
Observe The Principle of Least Privilege
The principle of least privilege means that each process should execute with the bare minimum required amount of privileges for the task. If elevated permission is required, it should only be granted for the minimum amount of time required for task completion. This gives attackers much less opportunity to execute malicious code during the window of elevated privileges.
Observe Compiler Warnings
You should compile your code using the highest possible warning level, and do your best to eliminate warnings through code modification. Furthermore, you can use dynamic and static analysis tools to further detect and fix any other security flaws.
When you properly validate input, you can eliminate most software vulnerabilities, especially those coming from untrusted data sources. You should be highly suspicious of any external data sources such as network interfaces, user-controlled files, command-line arguments, and environmental variables.
Sanitize Data Passed to Other Systems
Attackers may be able to use injection attacks (SQL, command, etc) on complex subsystems, such as command shells, databases, or webforms. The attackers are attempting to invoke unwanted functionality, and the complex subsystem being invoked does not really understand the context, thus this is not necessarily an input validation problem. The calling process is responsible for sanitizing data.
Adopt Threat Modeling
This involves anticipating the kind of threats which your code will be subjected to and developing strategies to mitigate those threats. It’s helpful to approach your code with the mindset of a hacker. How would someone with malicious intent attempt to identify weaknesses in your code security?