Secure Standards for Secure Coding, Essay Example

Introduction

CERT provides the common accepted standards for programming languages. Essentially these cover 10 main secure coding practice guidelines for computer science professional programmers. These are published by the Software Engineering Institute at Carnegie Mellon University. (Software Engineering Ins, 2011).

The 10 Key Guidelines

Validation of Input – Ensure data comes from both trusted and secure sources. This ensures safety of the software and reduces the degree of vulnerability;

Compiler Warnings – Take careful observation of compiler warnings and ensure appropriate modification of the code to avoid security flaws in the system

Architectural Design – Ensure design parameters are executed that take into full consideration the security requirements and parameters of the system being constructed. Emphasis on user and access privileges associated with the system;

Simplicity – Avoid building complex elements of coding constructs into the system. Keep the coding modular and easy to maintain. This facilitates both security and maintenance of the code;

Default Denial – Always base permissions more on denial of access than entry. Build the protection schemes on the basis of protecting the system

Principle of least privilege – Each process that is to be executed in the system should be done with the least amount of privileges associated with it. This creates for smoother running of the system

Data Sanitization – Sanitize all data that is passed to sub routines or sub systems and ensure the minimum of complexity. This creates for better systems integration and facilitates both security and maintenance. This applies to such items as command shells, data bases, and COTS software components.

Defense in depth – Create a tiered security defense strategy in the safeguard of the system code. This helps in ensuring that there is a multiple layered defence strategy to potential intruders or unauthorised people trying to gain unlawful entry;

Quality Assurance – Ensure professional testing standards are both designed and documented into the system build. This avoids concepts like fuzzy logic and builds in security audit control points into the system. (Seacord, R.C. 2009)

Secure Coding Standards – Develop and integrate secure coding standards for the system build process. (CERT, 2011).

An excellent white paper on the details for conducting Secure Coding practices has been developed by Shiralker and Grove of ATSEC Information security. (Shiralker, T. 2009). The picture to the right graphically illustrates how easy it is to breach systems security i.e. it is easy to circumvent a barrier as opposed to trying to defeat it. This crude analogy illustrates the concept of vulnerability in unsecure coding practices. Hackers will seek the least line of resistance in order to gain entry to systems and look for trap doors or back door entry access points.

References

CERT. (2011, 3 1). Top 10 Secure Coding Practices . Retrieved 3 5, 2012, from CERT: https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices

Seacord, R. R. (2009). Secure Coding Standards. Pittsburgh PA: Carnegie Mellon University.

Shiralker, T. a. (2009). Guidelines for Secure Coding. Austin, TX: ATSEC Information Security.

Software Engineering Ins. (2011, 12 15). CERT Secure Coding Standards. Retrieved 3 5, 2012, from Software Engineering Inst, Carnegie Mellon University: https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards