Friday, September 2, 2011

Best Coding Practices - Not Just For Security!

SQL injections, along with other predictable vulnerabilities, are the result of poor coding practices.  Unfortunately, many University Computer Science programs (and programming books) don't cover this critical element in-depth.  As a result, they churn out "disasters waiting to happen" alongside each new graduate CS major.  In addition, business managers tend to not be familiar with proper software security practices - especially when their job is to manage the bottom-line.

Best coding practices can be broken down in several ways.  First, we can address said practices from the standpoint of overall software engineering and design.  Within that context, these practices are designed  to mitigate the probability of introducing human errors into your applications, regardless of the software model used to create them.

In general, Best Coding Practices can be broken down as follows:

1) Lifecycle
2) Requirements
3) Architecture
4) Design
5) Code Building
6) Testing
7) Deployment

In addition to the above, there's the ever-so-important Secure Coding Practices which every professional programmer should be intimately familiar with.  In fact, I think this is one area that distinguishes an amateur programmer from a professional (capable of writing viable commercial-quality code).  In summary, the common SCP are:

  • SQL injection
  • Web server- and client-related vulnerabilities
  • Use of magic URLs, predictable cookies, and hidden form fields
  • Buffer overruns
  • Format string problems
  • Integer overflows
  • C++ catastrophes
  • Insecure exception handling
  • Command injection
  • Failure to handle errors
  • Information leakage
  • Race conditions
  • Poor usability
  • Not updating easily
  • Executing code with too much privilege
  • Failure to protect stored data
  • Insecure mobile code
  • Use of weak password-based systems
  • Weak random numbers
  • Using cryptography incorrectly
  • Failing to protect network traffic
  • Improper use of PKI
  • Trusting network name resolution

Here's a great book on writing secure code, available at a reasonable price:

By the way, SQL injection attacks should not be possible in a properly encapsulated web application, even if other secure coding standards are not followed.  In almost all cases, there is no viable reason to allow ad-hoc SQL code to be accepted by the program from the URL string, either as a GET or POST query.

No comments:

Post a Comment