Most Common Secure Software Development Mistakes

Puffy clouds in a blue sky

In 2016, as the Apps increasingly rely on the cloud and mobile devices, the hackers will intensify their techniques to Infiltrate the cloud, increase spear phishing attacks and by installing malicious software to exploit identity theft and data breaches. That said, the hackers are constantly relying on potential security vulnerabilities introduced (Assume that Human Behavior Will Introduce Vulnerabilities into Your System | Build Security In) into code during the SDLC processes due to the lack of security analysis, peer code review and accurate detection of application logic flaws. As in the case of the vulnerabilities recently announced by firewall vendors, which was discovered during the internal code review that allowed unauthorized remote administrative access to the device.

Here are some of the common secure coding, testing and process changes necessary to avoid such terrifying security breaches

1. Failure to confirm the common software vulnerabilities

The OWASP Top 10 and CWE/SANS Top 25 are fundamental to mitigating risks from common software vulnerabilities. Failure to validate incoming and output data can lead to the most common vulnerabilities, such as denial of service, data or code injection, misuse and breach of user data.

2. Failure to perform manual Penetration testing to validate high-risk modules

While standardized QA methods such as automated code scanning tools are efficient in finding common security vulnerabilities but Penetration testing methodology and standards are key to successful testing of high-risk modules. The effective use of Penetration testing can expose inadequate security configurations, flaws in encryption and application logic, invalid input validations and authorization checks.

  • Authentication and Authorization—Ensure input validation and authorization checks are performed to adequate set of roles, valid credentials and privileges.
  • Encryption—Using the valid hashing and checksum algorithm to ensure that the data cannot be tampered with.
  • File Upload and Download—Be sure that an attacker cannot bypass the validation controls and prevent file types that may pose a security risk.
  • Validation Controls or Input Filters—Perform testing on server-side controls and whitelisting inputs along with inputs based on blacklisting to exploit all possible entrances and exits on the perimeter vulnerabilities.
  • Application Logic and processes—Validate business logic or process workflows using Penetration testing that cannot be identified by standard functional testing.

3. Gaps in the Secure Software Development Life Cycle Processes

Most organizations have well-established Software Development Life Cycle (SDLC) processes for analysis, design, development, testing and production releases of software products and packages. But typically rely on costlier approach of software patching to fix the security related issues. Thus implementation of secure coding practices [Secure SDLC Cheat Sheet - OWASP] must be introduced throughout the SDLC processes [Secure Software Development Life Cycle Processes | Build Security In] to address the potential software vulnerabilities early in the development process. Incorporating security into the Software Development Life Cycle (SDLC) requires fundamental change in approach of design, testing, code review, defects reporting and security training.

  • Introduce Threat Modeling for a better-quality security design—A design-time conceptual exercise to identify and analyze high vulnerable components to proactively understanding and identifying threats and potential vulnerabilities early in the development process.
  • Implement Automated Testing to perform initial assessment of common security vulnerabilities— Automation is crucial to finding certain types of security vulnerabilities of large code base including the use of Static Code Analysis tools to analyze an application's source and binary code during the development or testing phases.
  • Perform Manual Code Reviews by Security Experts—A deeper code analysis using Penetration testing to identify security vulnerabilities outside of the intended functionality.
  • Produce meaningful reports for an effective communication on security related defects—Create comprehensive reports to minimize the false positives including recommendation of solutions to fix high-risk vulnerabilities.
  • Provide continuous education on secure development practices—Establish internal training guidelines on secure application development and secure development processes.

For more information on security test solutions introduced by Spirent, please visit: http://www.spirent.com/Solutions/Security-Applications


comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies.