Overview
With application security being a critical component of most organizations defenses, development teams must be proactive to safeguard their applications. This article delves into three fundamental practices to enhance security: viewing every user through a lens of skepticism, leveraging static code analysis tools, and deeply understanding the intricacies of your chosen technology.
1. Assume All Users Are Attackers
Many vulnerabilities stem from granting users excessive flexibility or trust. As a foundational security principle, ensure that your applications do only what they’re supposed to do. Lay this foundation by assuming all users could be potential attackers.
Input validation plays a significant role in this process. While there’s much to discuss, here’s how you can handle untrusted data in typical scenarios:
-
- Is the input expected? If not, reject the request.
- Will you use the input in a database query? If yes, always use parameterized queries.
- Is the input part of a form submission or action trigger? Confirm the CSRF token.
- Will the input be reflected back to the user or shown on screen? Encode the output before display.
- Does the input come from a specific set, like a day of the week or a resource link? Validate it against an approved list.
For more on input validation, refer to the OWASP Cheatsheet Series’ Input Validation section.
When crafting requirements and user stories, pinpoint these scenarios. Establish security requirements to ensure the entire team handles untrusted data consistently. With threat modeling and rigorous testing, you’ll be well-prepared for both your pentest and final release.
2. Make Use of Static Code Analysis Tools
SAST (Static Application Security Testing) allows you to scan code for vulnerabilities before deployment. It excels at identifying issues like dynamic SQL statements, hardcoded secrets, and obsolete libraries, among others.
Pros of SAST:
-
- Simple to set up and execute.
- Integrates seamlessly into your IDE.
- Cost-effective.
Cons of SAST:
-
- Can produce false positives.
- Has limited context, possibly overlooking vulnerabilities needing specific context or logic.
- Doesn’t catch every vulnerability.
While SAST is a valuable tool in your workflow, see it as a component of your broader security approach, not the sole solution.
3. Understand Your Technology
Familiarize yourself with the security aspects of your chosen technology. In weakly typed languages like JavaScript, ensure you’re rigorous with comparisons. Utilize native functionalities, such as automatic escaping, and avoid using a technology contrary to its intended purpose.
When selecting a programming language for a project, consider the following:
-
- Maturity and community support.
- Memory and type safety.
- Methods for updates and patches.
- Established security guidelines and comprehensive documentation.
- Trusted and frequently-reviewed standard libraries.
- Historical vulnerabilities.
Conclusion
Crafting secure code goes beyond adhering to guidelines—it’s about cultivating a security-first mindset. Security is an ongoing journey, not a milestone. By routinely updating our strategies, staying abreast of emerging vulnerabilities, and committing to continuous learning, we equip ourselves to develop truly secure applications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
Penetration Testing – PCI Compliance – Auditing
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.