Security needs to be a top priority for every aspect of the IT department. With the volume and severity of threats growing all the time and the penalties for breaches higher than ever, careless use of applications can cost any company dearly.
But this isn't limited to the end-users actually interacting with your software. Vulnerabilities caused by misconfigurations or flaws in the development process can be equally dangerous and, if firms don't take the time to thoroughly secure their code, these could lie unnoticed until it's too late.
Why your language choice isn't everything
Some developers may therefore pay a lot of attention to selecting the programming language they'll use based on its perceived security, but in reality there’s no such thing as an inherently secure language.
The figures on this can be misleading. For instance, one study by Whitesource found nearly half of open-source vulnerabilities publicly disclosed in the past decade (47%) were in C. However, this doesn’t necessarily mean C has poor security, as it's also one of the most popular languages. Therefore, with a larger community and more people using the code, it makes sense that they’ll find more vulnerabilities.
Ultimately, if you're following best practices and avoiding the use of sloppy code, the tool you're working in shouldn't make a difference. Instead, you should be making your selection based on your software needs and ensuring you're factoring security into the code itself.
Here are a few things to keep in mind to ensure your applications are as secure as possible, regardless of the tools you've used to create them.
1. Keep it simple
It should go without saying that the fewer lines of code in your application, the fewer opportunities there’ll be for things to go wrong. Yet this is often counter to the instincts of many developers, who may find themselves overthinking the design and adding extra features and options that may be nice to have, but could well compromise security.
The more complex your program, the more likely it is to have holes or errors, as the chances of any new additions or changes having unintended consequences grows. To avoid this, it's important to keep in mind the desired business outcome of any new software development and not stray away from this. This focuses the mind and prevents you from being distracted by unnecessary new functionality that adds vulnerabilities.
2. Embrace automation
Human error has long been one of the biggest causes of data breach, and this is as true for the people building the software as it is for those using it carelessly. However, many of the coding mistakes that are easy to make can be rectified or avoided altogether by greater use of automation tools.
This can be used to take many of the more repetitive and tedious processes out of an individual's hands, which is often where flaws can creep in. However, it can also ensure that code is being automatically scanned for known vulnerabilities throughout the process, which allows any issues to be spotted immediately rather than waiting for a review at the end of development, by which time it may be too costly to fix.
The results of this can be significant. For example, the use of automation in open-source software development can reduce the chances of vulnerable components used in finished applications by 55%.
3. Don't trust users
One of the biggest challenges for any software developer will be trying to foresee the potential actions of the end-user. No matter how carefully you plan your code, there’ll always be someone who finds a way to step outside the boundaries, whether unintentionally or by actively looking for weaknesses. If you trust your users to do only what you expect of them and nothing else, this can quickly lead to trouble.
Indeed, according to OWASP, four of the ten most dangerous web applications are due to placing too much trust in the user, which results in exploits such as:
- Injection attacks
- XML External Entities
- Cross-site Scripting
All of these attack methods depend on the application trusting what the user gives it, often leading to executing data as code.
To avoid this, it's important to rely on principles of least trust and ensuring that any data entering the application is validated before being used. If you can't be sure the inputs are 100% genuine, reject them - it's better to be safe than sorry.
4. Use threat modelling
Threat modeling involves looking at your software design to identify any places which attackers could compromise. This means you need to be able to think like a hacker and understand what they’ll look to gain and how they may break into a system.
For instance, ask what key assets are there within the applications that’ll need to be protected and how these are accessed. This will help you prioritize which areas to focus on and develop mitigation strategies that can be implemented in the code.