There’s lots of advice on designing and building secure software. All you need to do is: Think like an attacker. Minimize the Attack Surface. Apply the principles of Least Privilege and Defense in Depth and Economy of Mechanism. Canonicalize and validate all input. Encode and escape output within the correct context. Use encryption properly. Manage sessions in a secure way….
But how are development teams actually supposed to do all of this? How do they know what’s important, and what’s not? What frameworks and libraries should they use? Where are code samples that they can review and follow? How can they test the software to see if they did everything correctly?
There aren’t as many resources to help developers answer these questions. Here are the best that I have found so far.
First, there are the OWASP Prevention Cheat Sheets, which provide clear, practical advice from experts on how to do authentication properly, how to prevent CSRF and XSS and SQL injection attacks. How to properly validate input. How to encrypt data at rest and how to implement transport layer security. The right way to do session management and how to write a “forgot password” feature that doesn’t give the password away to bad guys. Practical security advice on HTML5 and application security architecture. And coming soon, more cheat sheets on threat modeling and canonicalization.
Clear (well, mostly – some of the cheat sheets deal with hard technical problems like crypto and DOM-based XSS attacks which are not easy to explain or easy to take care of) and concrete and free advice that developers can follow to solve hard security problems correctly. This is good stuff.
Checklists that programmers will actually use
I’ve written before about the value of checklists for developing good, secure code. Checklists are important to make sure that you focus on what is important and that you don’t forget small – but critical – details as you work. SD Elements is a SaaS platform that provides customized, active online checklists that your team can follow to build secure software. You describe your project’s high-level architecture (web app, web services, mobile app, fat client, …) and platform (language and technology stack) and compliance environment, and SD Elements creates a set of checklists and other resources to help the team deal with the security issues that they will face, from secure requirements through to design, coding and testing. You can track related checklist tasks across different SDLC stages, and easily see what has been done and what is still outstanding.
SD Elements doesn’t just tell the team what they need to do – it also explains how to do it. This includes how-to examples and language-specific code snippets that developers can copy and extend, design patterns and coding idioms they can follow, guidelines on what functions and libraries to use and how to use them, and instructions on how to test that your app is secure, including step-by-step videos demonstrating how to use Open Source tools to test for specific issues. You can customize the requirements and project settings, and create your own checklist items and add your own standards and guidance.
SD Elements is like having an experienced security specialist helping your development team and keeping them honest. A lot of thought and work has gone into this product. I first looked at a beta of SD Elements in April. It’s come a long way since then and is already being used by some big companies. Today it works for Java, .Net and Ruby on Rails apps, with support for more platforms coming. To make it even easier to use, the SD Elements team is getting ready to release an Eclipse plug-in so that developers can see checklists that apply directly to the specific area of code that they are working on.
Secure Coding Standards from CERT
CERT has just released a Secure Coding Standard for Java to go with their earlier C Secure Coding Standard. The Java guide explains input validation and sanitization, concurrency (locking and threading and thread safety), Java platform security and run-time security, and goes over basic rules of good programming . There are lots of code samples showing common coding mistakes and how to write the same code correctly. It won’t be easy getting developers to read these guides, but they are good references, offering detailed and clear guidance on how to write secure and reliable code.
I would like to hear from other people: what have you found useful to help teams with the detailed work of building secure software?