Software Development Security

Security is part of software development process, is an ongoing process involving people and practices, and ensures application confidentiality, integrity, and availability. Secure software is the result of security aware software development processes where security is built in and thus software is developed with security in mind.

Security is most effective if planned and managed throughout every stage of software development life cycle (SDLC), especially in critical applications or those that process sensitive information.

The solution to software development security is more than just the technology.

Software Development Challenges

As technology advances, application environments become more complex and application development security becomes more challenging. Applications, systems, and networks are constantly under various security attacks such as malicious code or denial of service. Some of the challenges from the application development security point of view include Viruses, Trojan horses, Logic bombs, Worms, Agents, and Applets.^[1]

Applications can contain security vulnerabilities that may be introduced by software engineers either intentionally or carelessly.

Software, environmental, and hardware controls are required although they cannot prevent problems created from poor programming practice. Using limit and sequence checks to validate users’ input will improve the quality of data. Even though programmers may follow best practices, an application can still fail due to unpredictable conditions and therefore should handle unexpected failures successfully by first logging all the information it can capture in preparation for auditing. As security increases, so does the relative cost and administrative overhead.

Applications are typically developed using high-level programming languages which in themselves can have security implications. The core activities essential to the software development process to produce secure applications and systems include: conceptual definition, functional requirements, control specification, design review, code review and walk-through, system test review, and maintenance and change management.

Building secure software is not only the responsibility of a software engineer but also the responsibility of the stakeholders which include: management, project managers, business analysts, quality assurance managers, technical architects, security specialists, application owners, and developers.

Basic Principles

There are a number of basic guiding principles to software security. Stakeholders’ knowledge of these and how they may be implemented in software is vital to software security. These include:

Protection from disclosure
Protection from alteration
Protection from destruction
Who is making the request
What rights and privileges does the requester have
Ability to build historical evidence
Management of configuration, sessions and errors/exceptions

Basic Practices

The following lists some of the recommended web security practices that are more specific for software developers.

Sanitize inputs at the client side and server side
Encode request/response
User HTTPS for domain entries
Use only current encryption and hashing algorithms
Do not allow for directory listing
Do not store sensitive data inside cookies
Check the randomness of the session
Set secure and HttpOnly flags in cookies
Use TLS not SSL
Set strong password policy
Do not store sensitive information in a form’s hidden fields
Verify file upload functionality
Set secure response headers
Make sure third party libraries are secured
Hide web server information

Security Testing

Common attributes of security testing include authentication, authorization, confidentiality, availability, integrity, non-repudiation, and resilience. Security testing is essential to ensure that the system prevents unauthorized users to access its resources and data. Some application data is sent over the internet which travels through a series of servers and network devices. This gives ample opportunities to unscrupulous hackers.

Summary

All secure systems implement security controls within the software, hardware, systems, and networks - each component or process has a layer of isolation to protect an organization's most valuable resource which is its data. There are various security controls that can be incorporated into an application's development process to ensure security and prevent unauthorized access.

References

↑ Stewart, James (2012). CISSP Certified Information Systems Security Professional Study Guide Sixth Edition. Canada: John Wiley & Sons, Inc. pp. 275–319. ISBN 978-1-118-31417-3.

Stewart, James (2012). CISSP Certified Information Systems Security Professional Study Guide Sixth Edition. Canada: John Wiley & Sons, Inc. pp. 275–319. ISBN 978-1-118-31417-3.
Report from Dagstuhl Seminar 12401Web Application Security Edited by Lieven Desmet, Martin Johns, Benjamin Livshits, and Andrei Sabelfeld, http://research.microsoft.com/en-us/um/people/livshits/papers%5Ctr%5Cdagrep_s12401.pdf
Web Application Security Consortium, The 80/20 Rule for Web Application Security by Jeremiah Grossman 2005, http://www.webappsec.org/projects/articles/013105.shtml
Wikipedia Web Application Security page, Web application security
Web Security Wiki page, https://www.w3.org/Security/wiki/Main_Page
Wikipedia Web Security Exploits page, Category:Web security exploits
Open Web Application Security Project (OWASP), https://www.owasp.org/index.php/Main_Page
Wikipedia Network Security page, Network security
Open Web Application Security Project (OWASP) web site, https://www.owasp.org/images/8/83/Securing_Enterprise_Web_Applications_at_the_Source.pdf

This article is issued from Wikipedia - version of the 11/28/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.