Search This Blog

Friday 15 March 2013

Develop an Enterprise Secure Coding Programme

So lets start out by saying that I have no intent on teaching you how to code, and you probably wouldn't want to learn from me anyway!

This particular rant is about developing your overall 
Enterprise Secure Coding Programme 
regardless of your size.


More than ever before, we must be diligent about our Application Development practices. In today's fast paced, highly competitive Internet environment, it is expected that your Corporate Applications not only look and feel "modern", but are also built to work on a multitude of platforms.  Gone are the days when you can write an application to "work best" on Internet Explorer.  Apps must present a consistent user experience across various browsers and platforms.  This diversity of endpoint systems increases the potential for vulnerable code to be exposed.  

Coding Securely needs to be a Corporate Culture, supported from the Top down. Every layer of employee has a role in this practice. An application built from the ground up on the principles discussed below will spend a lot less time in "vulnerability management", and a lot more time in building and releasing features.


I'm going to structure this discussion by addressing the responsibilities of each Business Role at a high level, then break each one of these down, further on.

Responsibilities of the CIO:


Responsibilities of the Application Development Team Lead:


Responsibilities of the Developer:

Responsibilities of the Quality Control and Test Team:
Coding Best Practices:
First of all, download and read the following!
(Then print it out, stick it on your fridge, and read it every morning!)
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
A coding best practice is a set of rules or procedures that one follows to create legible, well documented application code that improves the quality of the application and provides for better maintenance.  Code should be clearly written using a standard naming convention for object or variable names, routine or module names, and table/field names.  Comments should be descriptive and short.

Business Core Competencies:
Base your Application Development Practice on your your Business Core Competencies. By this I mean that if your company produces Widgets, then your Core Compency is in the mass production and sale of Widgets. Your developers should be spending the bulk of their effort in writing code to strengthen the sale of Wigets.
If they are developing "application frameworks" or writing "authentication" code, they are not doing you a service. There have been decades of collaborative prior art created that follow standards and have been rigorously tested.
Unless you are in the business of developing either of these... Don't.
Glad I got THAT off my chest.
Release Planning:

A software release life cycle is the sum of the phases an application goes through from its initial development, through testing, to release, and back to development for feature updates, and bug fixes.  





Application Framework:
Depending on what language you are developing in, there are many existing established Application Frameworks.   An application Framework is a library of software that has been developed to take care of the tedious tasks of managing input/processing/output  for various target systems.

Many current frameworks use the Model-View-Controller architecture to segment and manage their application code.
An easy way to understand MVC: the model is the data, the view is the window on the screen, and the controller is the glue between the two. -- ConnellyBarnes
  • Model - This is your Business Logic. Workflow, Database 
  • View - This is your Presentation Logic
  • Controller - This is your Application Logic
Reusable Code Libraries:
Where possible, reuse  functional code modules both within and application, as well as between applications. Maintain these functional modules in a library where Business Units can share and improve.
(See "Do not reinvent the wheel" Below)
  1. Understand the architecture of the original code to identify the components, boundaries, and interfaces
  2. Determine what is potentially reusable
  3. Estimate the time to reuse versus rebuild the components
  4. Make a decision on a component by component basis on what to reuse and how to reuse -no change, minor update, major update

 

Application Testing Methodologies:

Any application being developed must go through a series of testing regimes and criteria to be considered ready for production.  Typical testing includes:

  • Usability testing: - validates that an application is designed to make tasks easier
  • User acceptance testing - make sure your application meets the expectations of the user
  • Performance testing - does the application perform well under various loads
    • Stress testing - To determine the maximum performance limits of an application
    • Scalability testing -  how adaptable is the application to changes in software and hardware
    • Load testing - To get an idea of how the application behaves under a heavy load
  • Security testing 
    • Static- Static testing involves doing a static code analysis to check for any vulnerabilities
    • Dynamic - run the app to see if the response is as expected for the associated request
  • Functional testing - ensures that individual functions are working well
  • Interface testing - ensures that individual components are connected properly 


Do Not Reinvent the Wheel:
Reinvent the Wheel Often According to O'Reilly's 97 Things Every Programmer should know...  Their arguement is as follows:
"Reinventing the wheel is not just an exercise in where to place code constructs: It is how to get an intimate knowledge of the inner workings of various components that already exist. Do you know how memory managers work? Virtual paging? Could you implement these yourself? How about double-linked lists? Dynamic array classes? ODBC clients? Could you write a graphical user interface that works like a popular one you know and like? Can you create your own web-browser widgets? Do you know when to write a multiplexed system versus a multi-threaded one?....."
Which is great if you are coding your own project on your own time, if you are a student, or researcher, or if you are in fact reinventing code within the context of your Business Core Competencies to identify and fix a deficiency.   However, if you are a paid developer, and simply want to rewrite a new framework or module because you believe you can do it better... you are not doing your Company a service.  Companies work on a Time to Market mentality.  By utilizing trusted existing frameworks and Open Standards, you can get your application developed, tested, and published quickly.
Resources:
First of all, download and read the following! 
(Then print it out, stick it on your fridge, and read it every morning!)
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
Microsoft: MSDN: Coding Techniques and Programming Practices
http://net.tutsplus.com/tutorials/html-css-techniques/top-15-best-practices-for-writing-super-readable-code/
Tips for Secure Session Management
OWASP: Session Management Cheat Sheet
https://www.owasp.org/index.php/Category:OWASP_CLASP_Project
W3C: Mobile Web Application Best Practices
isc2.org: Application Development Best Practices
Model View Controller explained
IBM: DeveloperWorks: Reusable Code Libraries
O'Reilly: Reinvent the Wheel Often
IBM: Developerworks: Web Application Testing
Forbes: The Key To Great Web Software Is A Consistent, Intuitive User Experience
http://www.marketingtechblog.com/html5-user-experience/
 https://wiki.appcelerator.org/display/guides/Supporting+Multiple+Platforms+in+a+Single+Codebase

1 comment:

  1. Your posts is really helpful for me.Thanks for your wonderful post. I am very happy to read your post.very nice !!!
    CCNA training in chennai | CCNA training chennai | CCNA course in chennai | CCNA course chennai

    ReplyDelete