Security Basics

About

This page is meant to be as an starting point for security in development, for developers with little or no experience at all with secure development and good security practices in development.

Awareness

Every year vulnerabilities tend to grow in numbers (as you can see in CVE Details) as well as weakness in code (view CWE from Mitre).

Lots of enterprises are more aware about security in their software, ransomware groups and attacks are pretty common every single day, automated scannners for common vulnerabilities run by bad actors...

The are lots of reasons to take security seriously as a developer. Just take a Raspberry Pi (or other similar device) or spin up a VM in a cloud service, and open SSH port on port 22 publicly... You will be shocked with the number of attempts to login to your device...

Then have a look to some of this visualization tools:

• Cloudflare offers "Cloudflare Radar" where you can see an instant overview of internet insights (some regarding security and attacks).

• The NIST (National Instutute of Standards and Technology) provides multiple visualizations of it's vulnerability database.

• CheckPoint offers ThreatMap where you can see attacks in real time, as well as attacks on the day of visit (tends to grow to millions a day).

• Kaspersky offers Cybermap, a realtime CyberTheat map.

• Radware offers another live threat map worth to check out.

• NetScout offers Horizon, its own cyber threat real-time map.

• Imperva also offers its own cyber threat attack map.

• And lots of other tools:

  • Digital Attack Map (DDoS attacks)

  • Akamai Internet Station (Cyber attacks)

  • Threatbutt Internet Hacking Attack Attribution Map

  • Fortiguard (Fortinet) threat map

  • Bitdefender Cyberthreat real time map

  • Talos Cyber attack map (Spam & Malware)

  • SonicWall live attack map

Search news for data breaches, security incidents, ransomware attacks.

Are you more concerned now?

Great. Let's improve this situation...

A good starting point is to look at OWASP Top Ten, these are the main application security risks that are most important nowadays. The goal is to minimise these risks.

Secure Coding Practices

A very good starting point to ensure whatever you are developing, you meet with this OWASP checklist.

This SecureCoding blog post about it, it's also very useful.

This checklist covers the following points:

• Input Validation

• Output Encoding

• Authentication & Password Management

• Session Management

• Access Control

• Cryptographic Practices

• Error Handling & Logging

• Data Protection

• Communication Security

• System Configuration

• Database Security

• File Management

• Memory Management

• General coding practices (this last point is very important)

From the last bullet point, make sure you are following this coding practices:

• Use tested and approved managed code rather than creating new unmanaged code for common tasks.

• Utilize task specific built-in APIs to conduct operating system tasks. Do not allow the application to issue commands directly to the Operating System, especially through the use of application initiated command shells.

• Use checksums or hashes to verify the integrity of interpreted code, libraries, executables, and configuration files.

• Utilize locking to prevent multiple simultaneous requests or use a synchronization mechanism to prevent race conditions.

• Protect shared variables and resources from inappropriate concurrent access.

• Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

• In cases where the application must run with elevated privileges, raise privileges as late as possible, and drop them as soon as possible.

• Avoid calculation errors by understanding your programming language's underlying representation.

• Do not pass user supplied data to any dynamic execution function.

• Restrict users from generating new code or altering existing code.

• Review all secondary applications, third party code and libraries to determine business necessity and validate safe functionality.

• Implement safe updating using encrypted channels.

Getting some help

You don't have to do all of this without help!

Look for professionals, professional enterprise ready tools and solutions. awesome OSS projects and others in other sections of this page...