Secure coding practices: the developer’s guide to security
Cyber risk is a major concern in any modern organization, with cyberattacks affecting even the biggest tech companies. Teams need to better equipped to counter that risk and need to pull together in the direction of reducing it. For developers, that means secure coding – working from the outset to apply cyber security best practices to their work.
In this blog post, we go through the basics of secure coding: what cyber risks is, how it can impact your organization, and how to mitigate it. We also cover best practices to incorporate into your daily duties as a developer.
What is cyber risk?
Cyber risk, simply put, is any risk caused by threats to or flaws in your computer systems that could result in critical damages to an organization. This is often the result of security incidents, bugs, or accidents. The implications of this may be reputational damage, lost productivity or revenue, or data loss/exposure, for example. Most organizations collect, process, and store information of varying degrees of sensitivity; the more sensitive the data, the greater the risk.
Should developers be concerned about cyber risk?
Most developers and engineers are highly focused on functionality, scalability, and performance, all of which areis important. But without adequate security measures in place, a vulnerabilities quickly emergey may be introduced. Moreover, applications and systems are often built using third-party tools or libraries, increasing the threat of cyber risks. The developers and engineers building these systems must therefore be mindful of potential cyber risks to the organization.
Exposing cyber risk in top organizations
Any organization can fall victim to cyber risk. Here are a few incidents in which major global organizations failed to adequately address cyber risks and became targets of damaging cyberattacks.
- Twitter: In July 2020, Twitter suffered a phone spear-phishing attack executed via social engineering. The company’s social network admin panel was compromised, resulting in both financial and reputational damage.
- Jet2: One of the largest airlines in the UK, Jet2 lost roughly $215,000 in a 2018 cyberattack, rendering its services unavailable for about 12 hours. A former contractor had gained access to credentials of Jet2’s employees after which he deleted critical applications while trying to cover his tracks.
- GitHub: The code hosting platform fell victim to a cyberattack in 2018 known to be one of the largest DDoS attacks, despite only lasting a few minutes. Access to the platform remained unavailable for the duration of the attack (see below for more on DDoS attacks).
Common terms used in cyber security
Here are some common terms used within the cyber security space:
The term breach is used when an exploit or attack has been successfully carried out. For example, if a hacker gains access to an organization’s confidential information, the information is said to have been breached.
A firewall is a defense system or network security system that restricts unauthorized access to a private network. Firewalls may be implemented using either hardware or software.
Malware and ransomware
Malware is intrusive software that is capable of damaging a computer system, gaining unauthorized access, and performing unwanted actions in a computer system.
Ransomware is software that poses a threat, such as blocking authorized access or exposing confidential data, until the demanded amount of money is paid.
DDoS (Distributed denial-of-service) attack)
DDoS is a type of cyberattack in which the resources of a particular network, service, or server are made unavailable. This disruption is caused by flooding the target’s bandwidth with data or requests from multiple sources, generating heavier traffic than it can handle.
Cyber risk management
Cyber risk management is a strategic approach employed to detect, analyze, prioritize, and implement defensive measures against any cyber risks that pose a threat to the organization.
Importance of cyber risk management
Benefits of adopting a cyber risk management strategy include:
- Helps to mitigate possible cyberattacks.
- Reduces the potential for financial loss due to cyberattacks (a common attack motive).
- Helps preserve the organization’s reputation.
- Enhances the security of the organization’s sensitive data.
Cyber risk management processes
A typical cyber risk management process follows these steps:
- Assess and analyze key assets in the organization.
- Identify possible risks and vulnerabilities, their sources (e.g, insider threats, data leaks, or third-party tools).
- Evaluate risks and prioritize them according to your business needs and risk appetite (i.e., determine which risks you can afford to overlook).
- Calculate the impact and possible consequences if the identified risks should be exploited in an attack.
- Determine possible steps you can take to mitigate the identified risks and prevent possible attacks.
- Continuously monitor risks and repeat the above process.
Cyber risk management frameworks
Discussed below are some of the standardized frameworks you can use to help ensure more effective cyber risk management processes.
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is one of the most popular frameworks for cyber risk management. It organizes the risk management process into five core functionalities, namely:
The ISO/IEC 27001 was initially created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides standards by which security information can be systematically protected. Its core objectives are confidentiality, integrity, and availability.
Secure coding practices and tools for better cyber risk management
When it comes to secure coding, there are some industry-tested methods and strategies which teams can employ. The following tools and best practices can help you better manage risks in your organization.
In a typical application development process, testing and security checks are carried out at the end of the application development lifecycle. Shift-left security means introducing security checks at earlier stages during the development phase, rather than at the end of the process. The shift-left security process enables teams to begin tracking security issues and vulnerabilities as soon as a developer commits their code, even before deployment.
Why practice shift-left security?
Some of the benefits of practicing shift-left security include:
- Helps discover vulnerabilities at a much earlier stage of the application development lifecycle.
- Can reduce costs, since vulnerability impact is lower at earlier stages of development compared to the production stage.
- Helps developers/engineers learn about security as they go about their daily duties.
Shift-left security best practices
Here are some best practices you can employ when implementing shift-left security:
- Define the process and strategic approach of shifting security left.
- Assess your software development process and understand how it works.
- Automate security processes using automation tools.
- As additional code is written, implement security checks where needed and provide your developers and engineers with feedback as soon as possible so that they can implement fixes.
- Employ continuous monitoring.
Shift-left security tools for secure coding
The following tools can be helpful when implementing a shift-left security process:
- Static application security testing (SAST): These tools scan your source code for vulnerabilities. They can be used to scan code early on in the development lifecycle, before the code has been compiled. Unlike DAST (discussed below), SAST tools help to pinpoint issues and fix them almost immediately.
- Dynamic application security testing (DAST): These tools scan your source code during runtime or after compilation to identify vulnerabilities, helping you detect security issues that couldn’t be detected in a static state. It is mostly used in addition to SAST tools to detect security vulnerabilities such as SQL injection and runtime errors.
- Software composition analysis (SCA): This automated tool identifies open-source or third-party libraries in your application and detects known vulnerabilities, notifying the user of available patches or updates to address them.
Bug bounties are financial rewards offered by companies in order to motivate ethical hackers to evaluate the company’s source code and identify bugs that pose a threat to the organization. The higher the reward, the greater the competition, and the sooner a fix can be made available.
OWASP (Open Web Application Security Project) Top 10
OWASP is an open community devoted to providing free resources and guides to help improve your security. It lists the top 10 web application security risks, providing guidance for fixing them.
Secure software development lifecycle (SDLC)
SDLC is a standard approach to building software applications, and is a key component of secure coding. It includes the following steps:
Secure SDLC, however, is the practice of implementing security procedures such as code reviews into the current development processes.
When performing code reviews, here are some questions to ask yourselves as developers:
- Is the code properly formatted and readable?
- Does the code follow standard principles and best practices (such as DRY)?
- Can it be tested and debugged?
- Is it convoluted or does it need to be separated into modules?
- Is the code scalable?
Any security expert knows there’s no such thing as a perfectly secured system. But incorporating the cyber risk management and security best practices covered in this post into your daily tasks as a developer/engineer will enable you to deliver more secure applications and mitigate risk to your organization and its customers.
An integral part of maintaining good cyber hygiene is continued communication and collaboration with IT security teams. The Vulcan Cyber® risk management platform bridges the traditional disconnect between siloed teams and presents cyber security priorities in clear terms, and in the developers’ own environments, turning the cyber risk mitigation process into a shared effort. Book a demo today.