Software security is essential in fighting cybercrime.
Today, much of that responsibility falls on the shoulders of software developers. That’s why the Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software, developed a list of 10 ways that developers can make sure their codes are safe and secure:
- Protect Your Database From SQL Injection
- Encode Data Before Using It
- Validate Input Data Before You Use It or Store It
- Access Control – Deny by Default
- Establish Identity Upfront
- Protect Data and Privacy
- Logging and Intrusion Detection
- Don’t Roll Your Own Security Code
- Handle Errors and Exceptions Correctly
- Build Security Testing Into Development
Many experts in this area feel No. 10 is especially trenchant. With the velocity of development increasing in Agile and DevOps, it’s not possible for security auditors or penetration testers to keep up.
Security checks need to be included in code reviews, and security testing needs to be automated and included in Continuous Integration and Continuous Delivery pipelines.
Software developers must be sure that they have good automated unit and integration test coverage for security features and controls (like authentication, access control and auditing) and critical business features: code that handles money, private data, trade secrets and admin functions.
This needs to include both positive and negative tests.
Other system-level security tests and checks can be automated in CI/CD using tools like Gauntlt, BDD-Security, and Zapper (a Jenkins wrapper over the OWASP Zed Attack Proxy). These tools make it easy to run security tests and provide clear pass/fail feedback.
Static analysis checking using tools like Findbugs and PMD, also needs to be part of a developer’s toolbox, integrated into your IDE and into the CI/CD pipeline to catch common security mistakes and other coding problems.
Want to learn more? Tonex offers Software Security Training, a 2-day course where participants learn the fundamental principles of computer security, vulnerabilities, computer crimes, threats and concept of web security. Moreover, you will be introduced to the secure programming techniques as a part of software security, code auditing, SQL injection and secure coding principles.