There have been over 8000 software vulnerabilities identified in Q1 2022, where over 50% are high risk to the integrity and confidentiality of these applications, it is also known that it takes an average of 58 days to add a patch to a compromised application
What Makes Software Vulnerable
Developers are not exposed to secure coding or secure coding practices
Security concerns added too late or after development
Developers focused on the business needs rather than the possibility of software being compromised
Securities through obscurity
Building Secure Software
What should we consider when building software
First, we need to understand :
CIA (Confidentiality, Integrity, and Availability) Triad.
Balanced design, i.e. Security, features, and complexity, need to find a balance
Secure software development lifecycle, i.e. Incorporate security before, during, and after the project.
Confidentiality
This talks about authorized and unauthorized access. This simply means users with lower rights should not have access to sensitive data they are not authorized to have.
Here is what to consider:
Are databases, InMemory Stores, Logs, JSON or XML Files Secure
Are data transmitted through encrypted channels or can it be sniffed with tools like Wireshark
Who can change physical files and what are you logging
Are you encrypting companies' or client's sensitive data
Integrity
This basically talks about how consistent, trustworthy, and accurate our application data is.
Here is what to consider:
Are unauthorized modifications of data avoided? For example, SQL Injection
Are there proper authentication such that only users authorized are able to work and modify data?
Are users allowed privileges described by their role and nothing more?
Never trust data submitted from public sources, i.e. Proper user input validation on the frontend
Availability
This refers to how data is readily available to authorized users.
Here is what to consider:
Are there proper backups of data
Load balancing and high availability for heavily trafficked sites
Request Throttling, for example, what are the number of log-in attempts tried before a user is locked out
Are Web Application Firewall (WAF) implemented to automatically drop malicious traffics
Balanced Design
When building an application, we are mostly concerned with the business requirements, how best to incorporate them, and make them easy for users to work with, and we really don't pay attention to the security vulnerabilities.
We need to find a balance between security, complexity, and convenience. Security and functionality are aligned instead of going against each other and the balance exists between the number of features offered and the learning curve of the software being built.
Security By Design
This refers to secure software development life cycle (SDLC), where security is considered at all phases of the SDLC, rather than it being an add-on at the end of a project.
Security Considerations like:
Risk assessment during requirement gathering of the software we are about to build.
Threat Modelling, i.e. different ways an attacker might compromise the new application being built
What are we building?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?
Static code analysis tools to check the code base.
Dynamic code scanning during testing and deployment.
Third-party review and an internal attempt to hack software.
Code reviews and configuration checking.
Follow the principle of least privilege.
Avoid security through obscurity.
To get more information, the open web security project (OWASP) website is a non-profit organization that helps improve the security of your software.
You can concentrate on the following three projects.
OWASP Top 10
OWASP Proactive controls
OWASP Application Security Verification Standard: its goal the help organizations develop and maintain secure applications. It helps security personnel agree on a set of standards for testing.