Secure Coding Practices, Part 1

by Steven McElwee, CISSP

When was the last time you did a security code review? If you are like most security professionals, this sounds foreign to you. For years, security has focused on the electronic perimeter, hardening of servers, patching third-party software, and access control. Today security is digging deeper into the nuts and bolts of the applications.

This is the first article in a series on secure coding practices. The goal is to introduce the software engineering side of security to help you develop a more comprehensive skill set.

One of the pillars of application security is secure coding practices. The security professional’s role in secure coding is first of all to help develop, communicate, and train software engineers in secure coding practices. To ensure that these practices are followed, security must be integrated into the software development process by performing on-going code reviews.

Code review is not the starting point for security involvement in software development. Before beginning code review, it is important to review requirements to ensure that security controls are defined. It’s also important to review system designs to ensure that there are no design flaws that can be spotted at a high level.

After security requirements are solid and the design looks good on paper, you are ready for code review. Code review for security is a combination of manual and automated processes. Your goal is to ensure that the security requirements and design artifacts are accomplished in the code and to uncover coding practices that expose application vulnerabilities.

Begin with developing secure coding practices and train the software engineers in your organization to use them. These practices should provide guidelines for at least the following security functions:

• Authentication
• Authorization
• Data validation
• Session management
• Logging
• Error handling
• Cryptography
• Performance
• Code Quality

You will also need a code review checklist that covers these areas, along with sections for describing the system context, end users, confidentiality of information, and availability requirements. You will use this form to communicate to developers on risks and to make follow-up notes when risks have been closed. The completed template also serves as evidence of due diligence, if you ever experience a security breach.

The articles that follow in this series will describe secure coding practices for each of the functions above to help you to develop secure coding practices, train your software engineering staff, and perform effective security code reviews.