Maksim Kabakou - Fotolia
Security Think Tank: To secure code effectively, verify at every step
Verification at every step is an important part of ensuring your code is secure, writes Petra Wenham
It’s been quite a while since I dd any actual coding and while I have done machine level coding I was initially taught Algol and Fortran, both being high level languages.
In my 20 plus years in information security and assurance the issue of secure coding has risen in importance. It is through poor coding and housekeeping procedures that many successful security breaches have occurred, but the role of the operational environment and any background housekeeping functions should not be overlooked, they can, indeed, be critical.
A big part of secure coding is ensuring that any input to a piece of code only is allowed to originate from a known – verified – source and that the input is subjected to rigorous boundary and content checking and, should the input not be conformant, then that data is completely destroyed.
Similarly output from a piece of code should only come from within the code itself and sent to known – verified – destinations and not allowed to use memory outside of what has been allocated. The code itself should only access and use allocated memory locations and system I/O, housekeeping functions should also clean up any temporary memory locations post use.
The operating system that any code runs under should allocate, monitor and control memory usage in order to stop one piece of code from violating the memory allocated to other pieces of code.
The OS should only permit verified (certified or flagged) code to run, non-verified code should be isolated, prevented from running and an error output.
It should be noted that this could be a multi-level operation where, for example, you have a host system and OS that is running a number of virtual hosts or supporting a number of containers – not forgetting that a virtual host could also be running a number of containers making for a very complex environment.
There are quite a few software, container and OS testing tools on the market but unless your organisation has its own IT department that is developing, maintaining and deploying code you will probably look to outsourcing any necessary testing and review work to a competent agency.
Read more on this topic
- Don't adopt low-code/no-code application development approaches without considering these best practices to mitigate and prevent their inherent security risks.
- Organisations are looking for ways to reduce their application development costs, but automated coding can usher in some unpleasant surprises if you're unprepared.
- Learn how to conduct a secure code review, a critical step in the software development lifecycle, to avoid releasing an app with bugs and security vulnerabilities.