Secure Coding Standards
Why do we need to follow it?
Up to 90% of software security problems are caused by coding errors, which is why secure coding practices and secure coding standards are essential. Secure coding standards are necessary because they help to ensure that software is safeguarded against software security vulnerabilities.
What is Secure Coding Standards mean?
Secure coding standards are rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security.
What are Secure Coding Standards?
- CWE
CWE stands for Common Weakness Enumeration. Published by MITRE, CWE is a list of software security weaknesses in software and hardware, including programming languages C, C++, and Java.
The list is compiled by feedback from the CWE Community. In addition, the CWE Top 25 is a compilation of the most widespread and critical weaknesses that could lead to severe software vulnerabilities.
Refer link for the list of the 2020 CWE software weaknesses.
2. CERT
The CERT Oracle Secure Coding Standard for Java provides rules for secure coding in the Java programming language. The goal of these rules is to eliminate insecure coding practices that can lead to exploitable vulnerabilities.
The application of the secure coding standard leads to higher quality systems that are safe, secure, reliable, dependable, robust, resilient, available, and maintainable. And can be used as a metric to evaluate source code for these properties (using manual or automated processes).
3. CVE
Common Vulnerabilities and Exposures (CVE) is a list of publicly known cybersecurity vulnerabilities and exposures. Each item on the list is based upon finding a specific vulnerability or exposure found within a particular software product rather than a general class or kind of vulnerability or exposure.
The CVE list catalogs several types of software vulnerabilities, including:
- Denial of Service (DoS)
- Code Execution
- Buffer Overflow
- Memory Corruption
- SQL Injection
- Cross-Site Scripting (XSS)
- Directory Traversal
- HTTP Response Splitting
4. NVD
NVD is the U.S. government repository of standards-based vulnerability management data and it is connected with the CVE list and provides additional content, including how to fix vulnerabilities, severity scores, and impact ratings
5. DISA STIG
DISA STIG security guidelines are important, as they help ensure that your software is secure.
DISA STIG refers to an organization (DISA — Defense Information Systems Agency) that provides technical guides (STIG — Security Technical Implementation Guide).
6. OWASP
OWASP is the Open Web Application Security Project. It’s an international nonprofit organization that educates software development teams on conceiving, developing, acquiring, operating, and maintaining secure applications.
The current OWSAP top 10 includes:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components With Known Vulnerabilities
- Insufficient Logging and Monitoring
7. PA-DSS
PA-DSS is a global security standard that applies to the development of payment application software.
Software vendors that make and sell payment applications need to follow PA DSS. This ensures the security of all the software components of an application that processes payment card data.
If payment applications are not compliant with the standard, it could result in significant fines. It also leaves customers’ personal information vulnerable to data breaches. For that reason, it is vital that you understand the payment security standard and how you can meet payment application compliance requirements.
8. IEC 62443
IEC 62443 is a set of security standards for the secure development of Industrial Automation and Control Systems (IACS). It provides a comprehensive and systematic collection of cybersecurity recommendations. It’s used to defend industrial networks against cybersecurity threats.
All above are Secure Coding Standards. Secure coding standards are necessary because they help to ensure that software is safeguarded against software security vulnerabilities. What’s more, secure coding is essential for every development team — regardless of whether it’s code for mobile devices, personal computers, servers, or embedded devices.
We will see how we can overcome the vulnerabilities in my next blog Secure Coding guidelines.
Thanks Deepak Naik for your guidance and review.
