Security for Developers: How To Write Secure Code
You may not think of yourself as a security professional, but the truth is that every developer is responsible for securing their code. This responsibility is especially true if you develop software in a team or multiple people use your code.
There are several ways that developers can improve their ability to write secure code:
- Research the software
- Investigate your third-party code
- Track dependencies
- Learn how to use security tools
Let’s dive into each topic to learn more about how to write secure code.
Research the Software
Security for developers begins with reading the documentation and looking for previous research papers.
You should also check for any security issues reported by others. This can be done through search engines or on dedicated sites like Bugcrowd or HackerOne (both of which only allow specific researchers to post).
Finally, look for security issues reported by the community and/or the software company itself. If there’s a bug bounty program available for your software, this would be an excellent place to start looking—they often have great incentives for hackers who find problems with their product.
The next step is to review these reports yourself and see what can be gleaned from them:
- Are there common vulnerabilities?
- Are they easy-to-find bugs?
- How long does it take someone unfamiliar with your codebase to exploit them?
- What steps could be taken to become harder-to-find bugs?
Investigate Your Third-Party Code
One of the most common ways that security issues arise is when developers use third-party code. This can be a library, framework, or even an open-source project.
It's essential to understand what you're using and how it works.
Ask questions about how it was created and whether there are any known vulnerabilities or bugs that have been patched in newer versions of the software.
Do a thorough check of any source code you can access and look for anything that seems out of place, such as suspicious comments or hidden functionality (such as installing malware on your server).
Track Dependencies
Dependencies are a significant cause of vulnerabilities and security bugs, but they're also something that you can't always control. If you're using a third-party library or package in your code, it's important to keep track of those dependencies.
This can be done manually: Watch the main repository for updates and make sure to update them as soon as possible when they're released. This is time-consuming; however, as dependencies increase in number, it will become more challenging for developers to keep up with changes. It's also a lot easier for automated systems like CI/CD pipelines or package managers (such as npm) to keep track of these changes automatically.
Learn How To Use Security Tools
Every developer should use security tools to scan their code, dependencies, applications, and infrastructure. Using these tools helps to ensure that no one has injected a malicious payload into your application or other parts of the infrastructure.
In this section, we’ll talk about some of the most popular open-source security scanners and how to use them effectively.
Detect Vulnerabilities with Static Analysis Tools
Static analysis tools detect vulnerabilities in your code. They can be used to run regular checks on your codebase, or you can integrate them into your development process.
Static analysis tools do not perform any runtime checks, so they won't work for analyzing dynamic languages such as Python and Ruby. They also don't detect runtime flaws like SQL injection attacks or cross-site scripting vulnerabilities. However, they're handy for finding security issues in C/C++ programs and other statically compiled languages.
To use a static analysis tool:
- Set up the tool according to its documentation (typically via an IDE plugin).
- Run it against all files in your project. (A good approach is to run it nightly.)
Make Security Part of Your QA Process
Security testing is part of the QA process. It's also a part of the SDLC. But more importantly, it's something that should be done by all teams that work on the code. Developers are the first line of defense when it comes to security and should be running tests as part of their daily workflow.
Security testing can be tricky because it requires you to learn a new set of tools and techniques and then apply them throughout your codebase in order to find vulnerabilities before they go out to customers and users.
The aim is to ensure that every piece of software released has been tested for vulnerabilities so you can avoid having any significant incidents occur after launch day (or worse yet, during initial release).
This means everyone needs access, not just engineers (for example) but also product managers/designers. Team members who may have spent months working on features such as authentication or payment gateways without being aware of potential threats like SQL injections or XSS attacks. Which could result in leaked sensitive data being stored by hackers within databases if left unchecked.
Write Security Unit Tests
There are a number of ways to approach unit testing, but let’s look at one of the most common.
Unit tests are test cases that verify individual units of code for correctness and consistency. This helps ensure your application works as intended and prevents bugs from being introduced as new features are added or changed.
You can write unit tests for security by writing code that validates the correct use of sensitive data in your application. For example, suppose you have an API endpoint that accepts credit card numbers. In that case, you could write a test script that inspects HTTP requests to see if they contain any credit card numbers or sensitive information (like passwords) without proper encryption first.
This ensures that if anyone ever messes with an incoming request through tampering or injection attacks, they won't be able to access any personal information, such as private keys or other sensitive data used by your application's backend processes downstream.
Security Training for Developers
When it comes to security, you should be proactive rather than reactive. Consider how your code will affect other developers and make sure you are aware of what is going on in your application. This is especially important when working on multi-threaded applications or using third-party libraries and frameworks that may have yet to be well-tested for security issues.
If you're writing a web application, then there are some things that you can do in advance with respect to security. For example:
- Make sure that all user input is validated before it's passed through any sensitive functions (e.g., database calls). There's no point validating after the fact because by then it's too late!
- Make sure that all database queries are fully parameterized so that only authorized data can be retrieved by unauthorized users. This includes making sure that each query only retrieves data from the tables/views/etc. that the user is authorized to view.
As developers, we have a responsibility to protect our users and ourselves from malicious actors. We can do this by incorporating a few simple tools into our workflow: source code scanning, static analysis, and unit testing.
By following these steps regularly, we will be able to catch problems before they impact our users or cause harm within our own systems.
If your team could benefit from security training or consulting on DevSecOps practices, see how you can partner with NextLink Labs.