Secure coding practices

Similar documents
SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Secure Application Development. OWASP September 28, The OWASP Foundation

Solutions Business Manager Web Application Security Assessment

Evaluating the Security Risks of Static vs. Dynamic Websites

File Transfer and the GDPR

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Bank Infrastructure - Video - 1

# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS

Security Solutions. Overview. Business Needs

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Gladiator Incident Alert

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CPTE: Certified Penetration Testing Engineer

Aguascalientes Local Chapter. Kickoff

HP 2012 Cyber Security Risk Report Overview

CSWAE Certified Secure Web Application Engineer

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

SDR Guide to Complete the SDR

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

CoreMax Consulting s Cyber Security Roadmap

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

A (sample) computerized system for publishing the daily currency exchange rates

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Penetration Testing

Vidder PrecisionAccess

Hackveda Training - Ethical Hacking, Networking & Security

Secure Access & SWIFT Customer Security Controls Framework

Improving Security in the Application Development Life-cycle

Privileged Account Security: A Balanced Approach to Securing Unix Environments

RiskSense Attack Surface Validation for Web Applications

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Recommendations for Device Provisioning Security

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Application Vulnerabilities: OWASP Top 10 Revisited

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Define information security Define security as process, not point product.

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Host Website from Home Anonymously

Secure Programming Techniques

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Certified Secure Web Application Engineer

EasyCrypt passes an independent security audit

Copyright

Progress Exchange June, Phoenix, AZ, USA 1

C and C++ Secure Coding 4-day course. Syllabus

Web Application Whitepaper

DIABLO VALLEY COLLEGE CATALOG

CERTIFICATE IN WEB PROGRAMMING

Next Generation Privilege Identity Management

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Mobility, Security Concerns, and Avoidance

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

Endpoint Security - what-if analysis 1

Top 10 Application Security Vulnerabilities in Web.config Files Part One

- Table of Contents -

Wireless LAN Security (RM12/2002)


Buffer overflow background

SHA-1 to SHA-2. Migration Guide

Managed Application Security trends and best practices in application security

Network Integration Guide Planning

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Vulnerabilities in online banking applications

P2_L12 Web Security Page 1

Achieving End-to-End Security in the Internet of Things (IoT)

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

CS 356 Operating System Security. Fall 2013

Building Trust in the Internet of Things

Security Enhancements in Informatica 9.6.x

the SWIFT Customer Security

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

SECURE DATA EXCHANGE

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

EC-Council V9 Exam

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

PowerApps Security Features

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Siebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E

19.1. Security must consider external environment of the system, and protect it from:

CyberArk Privileged Threat Analytics

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Transcription:

Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing

Secure coding practices Writing good code is an art but equally important is programmers awareness of secure code practices, and the care they take when defining variables and structures and passing references and pointers from one module to another. Overview of code security While defining variables, programmers need to first assess memory space to be allocated, and clearly define the individual scope of reference variables while passing references inside functions. In languages such as C++, defining and using pointers is good practice as it improves performance and speed, especially in the case of applications like core banking where there are multiple users. But on the flip side, this poses enormous risk to data security as pointers can be accessed from outside and variable values can be manipulated. Programmers should follow secure coding practices while dealing with arrays, linked lists, stacks and vectors, which are the linear data structures normally used in coding, always keeping in mind that size of such data structures should be strictly limited to the space required. Location the physical address at which these structures are defined is an important aspect as well. In addition, it is essential to restrict access to the structures using proper access controls such as public, private or protected, inside the code. Another thing to be kept in mind is that variables, used normally for handshaking between two modules say, loans with payments should have a restricted set of values defined. These variables are normally static and their scope should be defined within certain boundaries. Also, it is always reco-mmended to perform code audits before implementation, so that potential code vulnerabilities can be fixed. For that, the code auditors should be enabled with proper know-how about individual languages and related secure code practices. Moreover, programmers should be aware of specific security related features of each programming language. Code review by experts ensures that programmers implement good security practices. Security breach in coding Security breaches in coding are primarily of 4 generic types: Code injections: In most of the functionalities where end users are allowed to upload file content, they can also inject codes in the Web server. These codes can perform malicious acts and pass valuable system information to hackers. Malware passing/hosting: Malware, which is software written to perform malicious activities, can be passed inside Web interfaces if codes are not written securely. Insecure database calls: Generic database calls require variables like database passwords and names and user names that are generally accessed 02

through static storage variables or properties files. It is important to write these calls in a manner that passwords and user names can be generated at run time and passed in the program. It has been observed in security audits that many enterprise applications use hardcoding of passwords and other parameters, which is a wrong programming practice. Properties file misuse: Properties files normally used to access basic data, contain lists of unencrypted variables whose values can be modified by system users. If such files are used, the variable values should be stored using interfaces and in encrypted format. However, it is recommended to avoid these files altogether. Further, if the property file of the server is compromised, hackers can overload its access methods and misuse them. It is preferable to create combination keys with two or more resources instead of using just one properties file. These can be run time generated and passed to required modules. Change management and version control In general code writing practices, version control is achieved using version numbering. Secure practices need to be followed during the change management implementation process. The changes in code should be highlighted with details and code review should be done before deployment. Also, the vulnerabilities due to new changes in code should be addressed explicitly. General secure coding practices Concept of no tolerance When coding, the tolerance related to variable length, scope and accessibility should be predetermined and only the required scope should be allowed. The tolerance for variable length should be optimized. Scopes for generated objects should also be predetermined. Ideally, code should not rely on variable scope predefined by the compiler. Certain thumb rules of secure coding Vertical and horizontal code drafting practices/ Code Orientation: Although code drafting methods might change as per language specifications, the normal way of writing code is either vertical cascading or horizontal splitting of code. The vertical cascading method helps programmers to understand the code whereas horizontal splitting enables them to define the scope of functions and variables. Variable declarations: When variables are declared in code, the variable length and scope of variable access should be predetermined; declarations should be made accordingly. Use of fixed length variables should be avoided and preferably, variables should be defined with dynamic memory allocations. Many new compilers like VB and VC++ support postponement of variable declaration by mentioning only the variable name and not the type. In such cases, variable types and properties should be determined within the scope without any overload of unnecessary features. In languages that support object referencing, programmers should avoid making multiple copies of the same variables. System level and semaphore variables: In cases where shell variables are used, variable values have to be sanitized. It is preferable to initialize values and not to assume default 03

vales as per system usage. Normally for interprocess communications where semaphores are implemented, the variables used to control the semaphores should be initialized in advance and then further modified as per system usage. As the semaphore controlling variable values are generally global in nature, it is important to determine entry and exit point values in advance. Object oriented principles Partial and full implementation of Object Oriented Programming (OOP) and security: OOP is in line with best security practices, with some exceptions. For instance, high usage of friend and virtual functions makes code more insecure and prone to compromise. Well-defined scopes like public, private and protected, secure the code. Certain programming languages like Java do not support multiple inheritances, thus protecting the methods defined under classes. Data abstraction and multiple inheritance linkages: Programmers should avoid using multiple inheritances as it adds to code vulnerability. Making major variable declarations in public scope enables easy access, thereby compromising OOP abstraction. Prevention of inheritance by key words like Final : In certain languages like C++ and Java, inheritance can be restricted using key words such as Final, thus disallowing users from inheriting class methods available in base class. This can be done when programmers do not want any further extensions and use defined class members. Security for software deployment Secure deployments, keys protection in code deployment: Generally, codes are deployed through popular deployment tools which compress the files and serially deploy them on the destination server. The deployment codes might be insecure, resulting in holes in the applications. Preferably, deployments should be done serially and manual handling should be strictly avoided. Keys used for secure deployments should be dynamic, with a specified time period to avoid code misuse. Code level security for Web applications While SQL injection is a common Web vulnerability, it is also important to write optimized queries in order to secure the data objects. This ensures the safety of the SQL output artifacts and also improves performance of database calls. Also, retrieval of unnecessary database column values should be avoided. Web server secure practices: Web server logs should always be configured to another drive where they can be stored. This will enable the tracing of hacking attacks. In addition, error messages (such as page not found ) should be altered to prevent the user from getting details like Web server configuration and version path. Web server default passwords and paths should also be changed as per specific requirement. Secure way of code deployment on Web: Web-based code deployment, being very unsecure, should be managed well. Handshakes should happen on key exchange mechanism and both client and server application should authenticate the connection between them. 04

Best security practices at the individual language level Each programming language has its own features around which security practices are set. C/C++ Even if declared implicitly, array bounds in C++ should be set explicitly, and should not be left open-ended. The structures should be defined dynamically as well. Also, loop arrays should not be allowed to iterate beyond the end of the array, so as to reduce buffer overflow attacks. In addition, conversions using void pointers should be avoided, while the automatic variables used need to be initialized before declaration. Java Sanitization of all data input irrespective of the source, substantially reduces risk of attacks such as code injections. It is also advisable to declare data variables of a class as private, thereby restricting access. Even in the case of nested classes, the methods accessing the private members of the outer class should be declared as private. Besides, exceptions should not be allowed to expose sensitive information. The outcomes of exceptions should be changed by proper exception handling, so that users get only valid exceptions. Use of the key word Finally while handling the exception significantly reduces data vulnerability. Null pointers should not be de-referenced, as this can cause the null pointer exception. Error messages passed to the user through servlets should be appropriate and should not display any confidential data. ASP.Net When using the popular programming language ASP.Net, data input from all users should be thoroughly sanitized. Stored procedures should be used to filter malicious user inputs, thereby mitigating code injection attacks. Also, session hijacking attacks can be reduced by disparate transmission of authentication and session cookies and using only the HTTPS network for the same. Authentication credentials should also be passed only over HTTPS. Network eaves dropping can be reduced by transmitting all information between client and browser over Secure Sockets Layer (SSL). Programmers should also ensure that client side options such as view state /hidden variables are not used to store sensitive data. Further, sensitive information must be stored on the server and not on the client side. Additionally, appropriate error messages should be displayed just like in Java. PHP In the server-side programming language, PHP, the majority of attacks can be reduced by sanitizing the input; functions like filter_input/ filter_id can be used. While using MySQL, it would be preferred to change password frequently. Malicious scripts can be prevented from running on the browser by removing content like special characters before it is sent to the users. Attacks such as Remote File Inclusion/Local File Inclusion can be reduced by sanitizing the inputs, restricting dynamic inputs that come from the user and placing strict access controls for critical files. Again, error messages sent to the user must be generic and not disclose any information. Shell scripts When using shell scripts, a popular scripting language mainly based on the Unix platform, restricted access must be ensured, with read, write and execute permissions for individual scripts given according to users privilege. In fact, Unix is considered the most secure Operating System because of the security features offered though shell scripts. Programmers should restrict privileges for specific command execution as well. For instance, those given permission to view the directory should not be allowed to make any changes. Additionally, the access controls for individual files and directories should be predetermined. Segregation of users based on privileges is very important too. 05

While writing and executing filters, steps to prevent data exposure should be taken care of in advance. During processing, programmers should exercise caution when exposing kernel calls and switches to end users. They should also ensure that fork calls are finite and controlled by defined system variables as they are highly sensitive to memory usage. In addition, TCP/IP stack gets exposed to programmers directly through shell script and C programs and programmers should avoid display of unnecessary stack information to end users. There have been instances of companies preparing their own protocol to avoid content exposure through the TCP/IP stack. Conclusion Application coding security is not restricted to just drafting ways of coding. Rather, it calls for a comprehensive approach that encompasses methods of Web and database server configuration, ways of making calls on Web servers and databases, techniques of handling properties files et al. Best security practices should be formulated keeping in mind language specific features and should be applied during configuration, coding and implementation. Bibliography 1. Session Hijacking: Refers to the exploitation of the session, done mainly by theft of the session key used to authenticate a valid user and gain access to services. 2. Network Eavesdropping: Refers to the sniffing of the data packets transmitted along a network to gain access to sensitive information. This is done using sniffers. 3. Semaphores: Used in operating systems, for coordinating activities between multiple processes that compete for using the resources of the operating system. Depending on the value of the semaphore the process will know whether to utilize the resource or to wait. 4. SQL Injection attack: SQL queries are drafted and inserted in Web forms maliciously to extract sensitive information from databases. 5. Array: Term referred to the use of a collection of variables belonging to a single type. 6. Pointers: A variable which is used to store the address of another variable. Makarand Madhukar Baji Senior Consultant, Finacle Payments, Infosys Sandhya Ravikumar Technology Analyst, Finacle E-Banking and Channel Support, Infosys 06

About Finacle Finacle from Infosys partners with banks to transform process, product and customer experience, arming them with accelerated innovation that is key to building tomorrow s bank. For more information, contact Finacleweb@infosys.com www.infosys.com/finacle 2012 Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback