Secure Coding Standards, Research Paper Example

This is an information age and businesses are dependent on computer networks and soft applications that are used for business automation. As the dependency increases, we have almost every business automation tool and enterprise wide application available today. However, their paramount use has highlighted numerous threats that are associated with software application development, networks and humans as well. Likewise, hackers are still finding ways to intrude or compromise applications and networks containing highly sensitive data or customer data from a company’s server in spite state of the art layered network defense. Apart from system and network vulnerabilities, software vulnerabilities have also paced up at an alarming pace. As there were no comprehensive security considerations while developing software resulting in weak and unsecure applications. A secure documented software development standard is considered to be a vital aspect for addressing application security, as they define rules required for the development of software system along with proper safe guards. Moreover, these coding standards provide a foundation for ensure system development security along with a provision of common criteria that can be utilized for evaluating and calculating software development performance, tools and processes. Likewise, these standards facilitate developers and coders to follow a documented procedures and guidelines aligned with organizational requirements. After establishing these secure coding standards, they can be used for evaluating source code in order to measure degree of compliance with standards.

There are ways in which secure coding practices can be established. However, there is no coding standard available that is globally recognized, as for this reason; organizations customize secure coding standards as per their own requirements. CERT established the CERT C secure coding standard that was developed by 320 technical experts and its new version was released on May 2010 by the reviewing process (Tai-hoon Kim et al.). For addressing security issues in application development, CERT secure coding standards are adopted by many organizations. Initiating a secure coding standard for several programming languages is a complex mission that entails comprehensive contribution and involvement of the community. Likewise, to establish a standard that reflects top quality, CERT is in the process of deploying the development process that is demonstrated below (Pincar, 2008):

Coding standard’s rules and recommendations can be asked from the communities that are involved in the applications for every programming language along with the development. Likewise, this will incorporate standard bodies considered as de facto and are responsible for maintaining documentation standards. Secondly, modification in rules and recommendations for content and style is only authorizes to high ranked members of the technical staff associated with CERT. moreover, these modifications to the content and style will be placed on a website for comments and feedback. Thirdly, users can discuss and share their views on a publicly available forum i.e. a website. Likewise, if consensus is developed among authorized members of the CERT to approve or modify a rule, after approval the rule is added in to the coding standard.

However, there are other standards as well for implementing secure coding standards. (Samek, n.d) Industry specific standards called as the Motor Industry Software Reliability Association (MISRA) guidelines highlighted the usability of C language in vital information systems are also available publicly. As mentioned before, many organizations adopt their own secure coding standards. For instance, a publicly released coding standard known as the Joint Strike Fighter Air Vehicle C++ Coding Standards is also available that is used for federal or military systems (Samek, n.d). Likewise, there are many online coding standards in which one of them is addressing security in a website. This standard is sponsored by the U.S. Department of Homeland Security (DHS) National Cyber Security Division (Samek, n.d). Moreover, SAMATE Reference Dataset (SRD) is sponsored by the National Institute of Science and Technology that offers a combination of programs with available vulnerabilities in the code, architecture and design for minimizing weaknesses that are exploitable. Furthermore, The Common Weaknesses Enumeration (CWE) that is sponsored by MITRE is a dictionary for all the security vulnerabilities that are exploited so far in the code, architecture and design. So many ways of addressing applications security have been discussed so far but none of them provides standards for secure coding practices that can be recognized and adopted uniformly.

Organizations fail to address application security issues resulting in major business loss or reputation in the market due to single security vulnerability i.e. security flaw in a user authorization and authentication module. If no automated tools are used for addressing application security, workload will increase for compliance with rules. Likewise, the use of tools will decrease the workload not only for programmers but for scripting languages as well. However, if the organization is already utilizing tools for addressing application security, it must be aligned with a formalized framework (Bradbury, 2008). Moreover, one of the pitfalls associated with application security is to analyze issues that are injected in the code. There must be a mechanism to avoid these issues by finding how they make their way in the code. Gordon Alexander, who is a technology manager at Compuware, spots a vital issue that is associated with mistakes from the developers. He says (Bradbury, 2008) “Defects manifest themselves in operation, and the cost of that will be borne out of the operational budget. The development budget does not see that cost,” he says further, “That makes it difficult for developers to invest in the process to fix these security problems.” Moreover, as far as management pitfalls are concerned, application security is considered as a governance issue (Bradbury, 2008). For instance, the programmers were not able to address security issues in the development phase, ultimately customer data will be at risk. However, in order to address the governance issue, it must be driven by the top and training must be provided at all levels. Likewise, if there is no adequate training for the programmers, they will make the same mistake repeatedly and it will be corrected by the quality assurance team. This concludes that the programmers cannot be blamed of their mistake apart from the fact that they are not following proper secure coding standards. However, below are the top seven technical flaws that impose risk for a security breach or a possible vulnerability in an application (Bradbury, 2008)

Invalid input must be checked on continuous basis in order to eliminate anonymous or unscrupulous that needs to be processed. Moreover, application programming interfaces defines a combination of definitions that synchronize and combines software communication within an application. Likewise, it also provides abstraction via high level and low level application and defines subroutine calls and data structures. Although, networking application programming interfaces provides the entrance for libraries that deploy protocols associated with data communication and network (Application programming interface.2007).

One of the challenges that arise for accessing API’s is that they can be accessed in a way that can exploit a security vulnerability that may result in a threat to the application. Secondly, not configuring appropriate encryption and authentication modules in an application can impose a serious threat. Organizations, do not give importance to access management procedures that may become inherent vulnerability that can be exploited anytime.

Thirdly, there are some challenges with autonomous system that are not addressed by the security personnel. As these systems are linked together across different networks, they must recognize state of operation for each one of them. If a cyber-criminal or hacker successfully detects a vulnerability to identity state differences, applications running on distributed network can be compromised.

Moreover, inadequate or improper error handling or incident response plans are essential to overcome the current situation. Organizations do seems to be reluctant for addressing errors that may contain meaningful and critical information that may lead to the root cause of certain issues that may become exploits afterwards. Furthermore, careless coding may also lead to improper functionality of the application that may lead to security vulnerability ready to be exploited by a threat.

Lastly, encapsulation that hides transactions or data that is classified as highly sensitive also create pitfalls for organizations. There are no trust boundaries defined leading to a complex situation. As these boundaries defines the specific part of data transmission that need to be protected, probability of threats will be minimized. However, coding must adhere to these boundaries encapsulating highly sensitive data transmission.

Top ten application security risks for the year 2010 were rated by the OWASP and are illustrated below (Bradbury, 2008):

• Cross Site Scripting XXS
• Structured Query Language (SQL) Injection
• Cross site Request Forgery (CSRF)
• Insecure direct object request
• Cracked authentication and session management
• Failure for limiting URL accessibility
• Inadequate cryptographic storage
• Inadequate transport layer safeguards
• Un-validated requests

References

Application programming interface.(2007). Network Dictionary, , 40-40.

Bradbury, D. (2008). Secure coding from first principles. Computer Weekly, , 18.

Pincar, J. (2008). Development process – C++ secure coding practices – CERT secure coding standards Retrieved 3/9/2012, 2012, from https://www.securecoding.cert.org/confluence/display/cplusplus/Development+Process

Samek, M. Practical UML statecharts in C/C++ event-driven programming for embedded systems Amsterdam ; Newnes/Elsevier, c2009.

Tai-hoon Kim, Adeli, H., Slezak, D., Frode Eika Sandnes, Xiaofeng Song, Kyo-Il Chung, et al. Future generation information technology: Third international conference, FGIT 2011, jeju island, december 8-10, 2011. proceedings (lecture notes in … applications, incl. Internet/Web, and HCI) Springer.