A basic guide for developers to secure modern web applications.

Photo by Luke Chesser on Unsplash

As the ongoing pandemic has distorted the view of time by changing how we perceive negative events in our daily life, it has certainly affected our activities on the internet to a greater extent.
Since the start of pandemic, WFH has become the new norm thus increasing the amount of time that we spend on internet.
A recent research by Deloitte shows a significant rise in cyber attacks since the pandemic has started thus raising the concern on whether we can
protect our identity on the internet.

What are secure coding practices ?

Secure coding practices are essentially the standards that govern the coding practices, techniques, and decisions that developers make while building software. The goal is to ensure that developers write code that minimizes security vulnerabilities. It encourages developers to code for the safest solution rather than the fastest solution which might be insecure.

How do we ensure that we follow secure coding practices for vulnerabilities that we have no idea of?
Enter OWASP — Open Web Application Security Project

OWASP Top Ten

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. It contains a list of vulnerabilities that commonly affect web-applications.

Globally recognized by developers as the first step towards more secure coding — OWASP

How do we identify the security risks in our application ?

To follow secure coding practices, one needs to examine the application for areas susceptible to increased threats of attack. Threat modeling is a multi-stage process that should be integrated into the software lifecycle from development, testing, and production.

Threat modeling is a structured process through which one can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate attack and protect IT resources.

Commonly known threat models are listed below

1. STRIDE
2. PASTA
3. CVSS
4. Attack Trees
5. Security Cards
6. Hybrid Threat Modelling

The following practices can be adopted to enhance security in context to risks identified by our threat model for our application

1. Sanitize everything that is taken as an input from the end user.

• Any input from the user is an untrusted source of data that can compromise the integrity of the system even if the user is an authenticated user. Appropriate validations should be present on frontend as well as on backend to prevent any injection flaws such as XSS and SQL, RCE or LDAP respectively.
• File validations in case of data upload, should be more than just an extension check. Proper validation through magic numbers should be done to ensure the integrity of file extension.

2. Stop hard-coding secret values in source code. Use environment variables instead.

• Developers often hard code credentials that are used for accessing remote resources. Such credentials are exposed easily through source code.
• An environment variable is a dynamic-named value that can affect the way running processes will behave on a computer. Environment variables allow data to mapped dynamically to the application at runtime by the running processes.
• Exposure to critical data such as credentials and access keys can be avoided by using environment variables.

3. Enable rate-limiting/throttling for API’s

• Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network.
• API throttling is the process of slowing down access to a particular resource once the system-defined threshold is reached by the client. This means the processing slows down but does not disconnect
• Rate limiting and throttling ensures that the system is not abused. Rate limiting is a critical component of an API product’s scalability.

4. Strong Password Management

• Passwords are the most commonly used form of credentials that are used for authenticating the end user.
• As a secure coding practice, the application should ensure all passwords are of adequate length and complexity to withstand any typical or common attacks. OWASP suggests several coding best practices for passwords, including:
• Storing only salted cryptographic hashes of passwords and never storing plain-text passwords.
• Enforcing password length and complexity requirements.
• Disable password entry after multiple incorrect login attempts.

5. Access control

• A strong access control would ensure that only users that have proper authorization will have access to system.
• The “default deny” approach basically denies any access to resource, unless specified for the user based on the authorization rule maintained by the system.
• Always take a “default deny” approach to sensitive data. Limit privileges and restrict access to secure data to only users who need it. Deny access to any user that cannot demonstrate authorization.
• Ensure that requests for sensitive information are checked to verify that the user is authorized to access it.

6. Exception Handling and Logging

• Exception in software are often an indication of bugs, many of which cause vulnerabilities. Exception handling and logging are two of the most useful techniques for minimizing their impact. Exception handling attempts to catch errors in the code before they result in a catastrophic failure. Logging documents errors so that developers can diagnose and mitigate their cause.
• Documentation and logging of all failures, exceptions, and errors should be implemented on a trusted system to comply with secure coding standards.

7. Encryption for data-at-rest and data-in-transit.

• Data at rest is data that is not actively transmitted over network.
  Eg. Data stored locally on server such as logs, data templates etc.
• Data in transit, or data in motion, is data actively moving from one location to another such as across the internet or through a private network. E.g from database to application.
• Data can be exposed to risks both in transit and at rest and requires protection in both states.
• In order to protect data at rest, one can simply encrypt sensitive files prior to storing them and/or choose to encrypt the storage drive itself.
• Encryption policies should be defined by the organization as it plays a major role in data protection. In order to protect data in transit, organization often choose to encrypt sensitive data prior to moving and/or use encrypted connections (HTTPS, SSL, TLS, FTPS, etc) to protect the contents of data in transit.

How to validate the integrity of coding principles that are incorporated in our application?

Security Test Driven Development (STDD)

• In test-driven development, developers often write unit-test cases satisfy only functional scenarios.
• STDD (Security Test Driven Development) is similar to TDD, except it allows developers to write test cases from a security perspective.
• This enables identification and mitigation of security risks during the development phase.

Security Test-Driven Development Processes

• Perform a Static Security Scan on the code written
• Add a Test
• Run all tests and trigger Dynamic Security scan in the background
• See if the new one fails
• See if any security flaw identified on the newly developed code
• Write some code as per the security guidelines without affecting functional behavior
• Run tests and Refactor code
• Repeat

How do achieve STDD

Tools Required

1. Build Management Tool

CI environments such as Jenkins/AWS CodeBuild/Gitlab Runner etc can be used for code-build and verification.

2. Security Testing Tools

SAST (Static Analysis)

• Static analysis, also called static code analysis, is the process of analyzing a computer program to find problems in it without actually executing it.
• Pylint — Python, JSLint — Javascript, Lint-Android

DAST (Dynamic Analysis)

• Dynamic analysis is the process of testing and evaluating the response of the program by executing data in real-time.
• A proxy enabled security tool which could be acting as a listener is responsible for monitoring and enabling a bot-user to penetrate the application on development or local environment for security testing.
• OWASP ZAP & BurpSuite.