In the first part of the Security Perspective Shift in SDLC blog, we understood the significance of an architect and developer’s perspective across different SDLC phases. Based on the same perspective, let us learn the best security practices software engineering teams must follow to avoid any security breach or vulnerability. This blog is a perspective change on how engineering teams could avoid the most frequently found OWASP TOP 10 Vulnerabilities by adopting the best Secured Coding Practices.
Injection
Any type of injection vulnerability is the most widespread vulnerability. These vulnerabilities are often found in SQL, XPath, NoSQL queries, LDAP, etc. These vulnerabilities can be found by examining code during code review. Static code scanners assist to easily detect such vulnerabilities from the code.
Best practices to be followed:
- Use parameterized query statements or prepared statements for SQL queries or use Object Relational Mapping tools. Even parameterized queries can introduce SQL injection if it concatenates data with query directly.
- Use whitelist server-side input validation for special characters.
- Use specific escape syntax for residual dynamic queries and escape special characters.
- Use of LIMIT or special SQL controls within queries to avoid mass disclosure of records.
Broken Authentication
This type of vulnerability is widespread due to the weak design and implementation of the Identity and Access module in the application. Cyber attackers can identify broken authentication manually or using tools with password lists and dictionary attacks.
Best practices to be followed:
- Implement multi-factor authentication to prevent automated attacks, brute-force attacks.
- Do not hardcode any default credentials in any case.
- Implement strong policies for password complexity, password rotation, and password length.
- Ensure use of the same messages for different scenarios like User registration, Invalid Username/Password, Forgot Password modules against account enumeration attacks.
- Limit on failed login attempts which can avoid brute-force attacks. Keep logging and informing to administrator of such failed attempts.
- Introduce account lock/suspend mechanism on multiple failed login attempts.
- Use server-side session manager which generates new session-id post-login. Session ID should not be used in URL, secured stored, and should be invalidated after logout or idle timeout.
Exposure to Sensitive Data
Exposure to sensitive data is the most common attack over the last few years. Generally, this type of vulnerability occurs due to non-encrypted sensitive data in the application. This type of vulnerability can still occur if the user has used weak key generation, weak algorithm, protocol, or weak password hashing storage techniques. So, these server-side weaknesses are easy to detect when data in transit for any attacker.
Best practices to be followed:
- Identify and classify sensitive data and discard if not needed.
- Ensure all required sensitive data has been encrypted with strong algorithms, protocols with proper key management.
- Encrypt all data in transit using secure protocols like SSL/TLS.
- Disable caching for a response that contains sensitive data.
XML External Entities (XXE)
Many poorly configured XMLs have external entity references used in them. External entities can disclose internal files using URI handler, internal port scanning, remote code execution, and denial of service attacks.
Best practices to be followed:
- Use of less complex data formats like JSON.
- Avoid serialization of sensitive data.
- Upgrade all XML processors used by the application.
- Disable XML external entity and DTD processing in all XML parsers used in the application.
- Implement whitelisting at the server-side for input validation to prevent hostile data inside XML.
- Perform static scanning to detect such kinds of vulnerabilities in source code.
Broken Access Control
This type of vulnerability occurs when access to features, screens, functionalities by authenticated users are implemented improperly. Attackers can exploit these vulnerabilities to access unauthorized functionality and/or data. These include access to other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. These types of vulnerabilities cannot be found by automated static or dynamic analysis. Manual testing is the best approach to find such vulnerability.
Best practices to be followed:
- Implement access control mechanism neatly and reuse the same throughout the application.
- Enforce all requests to go through access control checks. Log every access control event.
- Use of Deny by Default strategy for newly created accounts until access is configured. Similarly, when a new feature has been added to the application, all users should be denied using it until it is properly configured.
- Adopt the principle of Least Privilege.
- Do not hardcode the roles.
Security Misconfiguration
Security misconfiguration is the most common issue that occurs due to insecure default configurations, incomplete configurations, misconfigured HTTP headers. These misconfigurations can be easily detected using automated scanners.
Best practices to be followed:
- Test, review and confirm network infrastructure, server, HTTP header configurations along with cloud storage permissions.
- Add identical configurations in all environments. This process should be automated to minimize manual mistakes to configure a secured environment.
- Usage of segmented application architecture is a better approach.
Cross-Site Scripting (XSS)
XSS vulnerability occurs when the application accepts a value from an HTTP request (user-supplied data) and uses the same value within the immediate response in an unsafe manner i.e. Without proper validation. This attack allows executing scripts in a browser which can hijack sessions or redirect to malicious sites.
Best practices to be followed:
- Adopt frameworks that automatically escape XSS by design like Ruby, React JS, etc.
- Escape or encode untrusted user-supplied data on the context in the HTML output.
- Implement content-security policy in response header by which browser will not execute inline JavaScript.
Insecure Deserialization
This type of vulnerability might lead to remote code execution. This can be used to perform attacks like replay, injection, or privilege escalation attacks.
Best practices to be followed:
- Apply integrity checks on any serialized object.
- Enforce strict type constraint during deserialization.
- Log all deserialization exceptions and failures.
- Restrict on network connectivity of servers that deserializes.
Using Components With Known Vulnerabilities
Components such as libraries, frameworks are themselves vulnerable. They could be dangerous for application as it enables various attacks and impacts. If a vulnerable component gets exploited, then an attack can lead to serious data loss or server takeover.
Best practices to be followed:
- Do not keep any unused dependencies, libraries, files, and components.
- Track client-side, server-side component versions for security vulnerabilities and patches.
- Get components, libraries only from trusted and official sources.
Insufficient Logging and Monitoring
This may allow attackers to further attack the systems, tamper, extract or destroy the data. This insufficient logging will lead to problems like breaches getting informed by external parties instead of getting detected from internal monitoring.
Best practices to be followed:
- Ensure all types of loggings for failures, validations, user contexts, integrity checks which can find out any malicious activity if any.
- Ensure all logs have a certain format that can be easily consumed by log management solutions.
- Establish effective monitoring and alerting for suspicious activities.
Next Steps for Security Perspective
Negligence or compromise towards application security by engineering teams can cost the organization in terms of business, revenue as well as market reputation. So, software engineering teams, especially development engineers should change their perspective while developing and adopt secured coding practices as much as possible.
Xoriant brings decades of security experience with the cutting-edge new tools and technologies to protect your assets from legacy systems to cloud-native and mobile apps. We ensure that your business is free from actual and potential vulnerabilities.
Want to know more about how Xoriant can help you with security best practices and standards?
Connect With Xoriant Security Experts