Software developers and all other relevant personnel involved in the development of software for organizations are required to undergo annual training in secure coding techniques for the software platforms(s) with which they work. In many cases, these same developers and organizations are also required to submit Secure Code Training checklists on an annual basis as evidence that they are meeting the secure coding technique requirements.
In addition to many compliance requirements facing software developers involved in the software development process, there are additional professional guidelines, such as the Open Web Application Security Project (OWASP) Code of Ethics and CWE/SANS that are often leveraged as well.
How does your software development lifecycle assessment stand in comparison to the industry expectations? Do they include policies, processes, and procedures to ensure that internally-developed applications are not vulnerable?
Whatever your current posture is with secure coding principles, organizations looking to implement a compliant practice should ensure that (at minimum) these potential threats are accounted for:
– Injection Flaws (SQL, OS and LDAP Injection)
– Cross-site Scripting (XSS)
– Broken Authentication and Session Management
– Insecure Direct Object References
– Cross-site Request Forgery (CSRF)
– Security Misconfiguration
– Failure to Restrict URL Access
– Un-validated Redirects and Forwards
– Insecure Cryptographic Storage
– Insufficient Transport Layer Protection
Praetorian Secure has developed and implemented a comprehensive program regarding software assessment, development and secure coding guidelines and training, which encompasses the categories and supporting activities listed below. These policy directives will be fully enforced through analysis to ensure that the software development and secure coding guidelines and training initiatives are executed in a formal manner and on a consistent basis.
Secure coding is much more than just reviewing code via manually or with automated tools – rather, it is a fundamental component of the entire software development lifecycle and related processes. As part of developing software based on secure coding techniques, there is a plethora of malicious vulnerabilities and threats that pose significant dangers to internally developed software platforms upon which our customers rely on. These threats are continually sought and identified on an annual basis by the Open Web Application Security Project (OWASP), and as such, developers and all other relevant personnel in the development of software are to have a comprehensive understanding and in-depth of knowledge of these vulnerabilities.
Additionally, while many of the vulnerabilities can be eliminated with secure coding techniques, other critical processes and procedures must also be initiated by network engineers and other IT staff for ensuring the security of internally developed software platforms.