Coding and Code Security Go Hand-in-Hand: How Can Developers Manage Both?
In the fast evolving threat landscape, any software vulnerability is a potential invitation to data breaches and cyberattacks.
Writing codes is not easy, and writing secure codes can be even more challenging. The slightest errors or miscalculations can leave software vulnerable to future breaches, which can eventually cost companies millions of dollars in ransom payments or business disruptions. As a matter of fact, in many cases, it is the developer who introduces vulnerabilities to the codes.
In 2019, unknown threat actors planted spyware called Pegasus on the smartphones of thousands of individuals across the world after exploiting a vulnerability in WhatsApp. Facebook later confirmed that WhatsApp suffers from a buffer overflow vulnerability that allowed attackers to remotely run malicious codes on a device by sending a series of specially crafted data packets. The overflow occurs when certain memory areas of a running process are overwritten with data that exceeds the buffer’s capacity.
Buffer overflow is one of the most notorious software weaknesses. C and C++ programming languages are most susceptible to this weakness as they allow direct memory access. However, this weakness is avoidable, just like any other software weaknesses and vulnerabilities that have been exploited or reported in recent times.
“The unfortunate thing with programming is that often computers do what they are told, not what we want them to do. And that does not apply just to a single isolated developer — the same holds true for all the codebase, be it OS or a library, the developer may depend on,” said Adolf Středa, malware analyst at Avast, a cybersecurity company.
Středa notes, “while we are still greatly advancing with tools and techniques that help us reduce the amount of vulnerabilities, the usual time pressure and the still expanding vastness of the codebase, we tend to work with, still commonly present many opportunities for vulnerabilities.”
Learn more: 3 Tips for Intrusion Prevention With Managed File Transfer
How Developers Introduce Vulnerabilities in Codes
The resilience of any software against a potential data breach rests on the underlying code. Any errors in the code can heighten the risk of tampering with the software. Several factors can cause these errors, including lack of knowledge of key concepts and best security practices, lackadaisical borrowing of codes from external sources or outdated libraries without proper validation and pressure to finish the software quickly and rush it to the market.
Lack of guidance and knowledge: Many developers feel overwhelmed and unprepared to write secure codes despite having the coding skills. According to a survey by GitLab, 70% of programmers said they have struggled to write secure code and feel they could do better with proper guidance.
Invalidated sources: Often, developers borrow codes for specific functions from external sources to save time and effort. However, if the sources have not been validated and appropriately tested for possible vulnerabilities or abandoned backdoors, the application logic can get compromised.
Improper input validation: Input validation is critical to identify and eliminate potentially dangerous inputs at early stages. This ensures that input is safe for processing within the code. Attackers can manipulate input that is not validated properly.
Lack of proper encoding: Most software rely on structured messages for communication between components, such as queries or commands. If these messages lack correct encoding, attackers can manipulate the software and change actual commands with malicious ones to perform wrong operations.
Overemphasis on quality: Often, developers are too focused on achieving specific performance standards set by clients or IT decision-makers. At times they even skip expensive and resource-intensive steps to optimize performance. Though security is not completely overlooked, it gets quickly sidelined, resulting in many best security practices getting ignored.
Using outdated libraries and plugins: Using outdated libraries, plugins and software can also be risky as they may contain unpatched vulnerabilities. Attackers are usually aware of such vulnerabilities as they are easily exploitable.
Language-specific vulnerabilities: Every programming language has unique vulnerabilities that new developers may not be familiar with. A case in point is the buffer overflow vulnerability in C or C++ or the code injection vulnerability found in SQL, JavaScript, and PHP.
Insufficient logging and monitoring: If a software design lacks proper logging and monitoring, it will fail to log any critical security events such as failed login attempts. This can hinder forensic analysis and make the detection of malicious behavior difficult. According to the Open Web Application Security Project, exploitation of insufficient logging and monitoring is quite common.
Learn more: Is Transparency a Missing Element in Industry Preparedness Against Cyberattacks?
Středa feels the paradigms programmers use have also become more complex over time, adding, “a decade ago we may have been worried about concurrency in threads; today, we’ve made progress towards asynchronous programming with which we have even less certainties we can count upon. And while we work on tools that help us mitigate that, we often sacrifice some of the security for convenience.”
“While Haskell’s strict type control may help us avoid some types of the bugs, for most of the programmers working with Haskell would generate significant overhead. Instead, we may opt for Python, which may have sacrificed strict typing, but on the other hand, we probably will require comparatively less time to develop the project,’’ he added.
Why Code Writing With Security in Mind Is Critical
According to reports, many of the recent data breaches and cyberattacks were triggered by inherent software vulnerabilities. The buffer overflow attack on WhatsApp that allowed unknown actors to spy on company heads, journalists, politicians, activists, and lawyers is an example. Similarly, the more recent Kaseya ransomware attack is believed to have been enabled through an SQL injection, a standard application layer attack.
Citing findings of The Software Engineering Institute, the U.S. Department of Homeland Security (DHS) stressed that 90% of reported cybersecurity incidents are caused by exploits in the design or codes of the targeted software.
Fixing a vulnerability in mature software which has seen several update cycles is not as simple as it seems. A June 2021 report by WhiteHat Security shows that the average time taken to fix critical vulnerabilities was 205 days as of May 2021. The report also revealed that 66% of all applications used by the utility sector in the U.S. suffered from one exploitable vulnerability that remained open throughout the year. WhiteHat Security claims that utility companies in the U.S. have faced multiple attacks that were never reported in the last few years.
Not a long time ago, in February 2021, attackers gained remote access over systems of the Oldsmar water treatment plant in the state of Florida and tried to increase the amount of sodium hydroxide to the town’s water supply to a potentially dangerous level.
Keeping all these challenges in mind, detecting codes at early stages becomes even more critical.
What Developers Can Do To Detect Vulnerabilities Early
Vickie Li, a developer evangelist, emphasizes that it is the developers who add vulnerabilities into code and they should fix them too. “If we as developers can learn about the common pitfalls of application security and secure development, we can prevent vulnerabilities from being introduced into the code base, saving ourselves and our colleagues time and headache down the line,’’ she wrote in her blog post.
Juan Sacco, Co-Team Lead of the Red Team at Avast, also feels that these vulnerabilities can be fixed early on with proper education and training at the initial stages of software development. “The best tool is the developer itself; education, structure and early discussions could fix a bug before even touching the keyboard,’’ he added.
To make writing secure codes easier, Microsoft-owned GitHub has recently added a new artificial intelligence (AI) tool called Copilot that can suggest individual lines or entire functions based on existing codes and comments written by developers. This would enable them to quickly switch to alternative steps to solve problems, write tests, and explore new APIs. Copilot has been developed in collaboration with OpenAI, a San Francisco-based AI research company.
Learn more: U.S. Cyber Regulations Post Colonial Hack: Will They Be Enough?
Here are five best practices to address security challenges in software development:
1. Training: Experts feel it is important to include security education in the security tools used to limit context switching and friction. Li believes developers should be made familiar with how security or the lack of it impacts users. Security training should be customized to help developers understand the real-life importance of best security practices.
2. Use trusted libraries to borrow codes: Developers should always refer to proven and trusted libraries such as GSON, Apache Commons, Bouncy Castle for external dependencies.
3. Least privilege principle: One of the best practices to avoid vulnerabilities in code writing is the principle of least privilege. Developers need to disable, block, and remove any system component they don’t require.
4. Stay up to date: Keeping an eye on the top software vulnerabilities can also help developers mitigate the risks of repeating the same mistakes as others. Developers should regularly check Common Weakness Enumeration (CWE) Top 25, a valuable community resource that publishes the list of most severe and current security weaknesses.
5. Use static analysis tools: The more commonly used techniques such as dynamic analysis and penetration testing have been known to miss many exploitable vulnerabilities. Static analysis is touted to be a lot more effective in comparison. By automating the testing process, these tools save time and resources. Developers can use a SAST tool to scan the application and then validate the results using manual code review.
Sacco also weighs in favor of SAST tools and adds, “SAST tools are quite effective at detecting vulnerabilities in the early stages of the development cycle. Some of them also include references to manual pages or documentation so the developer can learn how to avoid stepping on the same stone next time.’’
“It is important to create a healthy relationship between developers and the results of a SAST scan so the developers could also have a voice at the end of it. The tool itself should facilitate good development practices without inhibiting development speed and efficiency,’’ he adds.
Embold, Fortify, CodeSonar, SonarQube and Veracode are some of the top SAST tools that can test codes for weaknesses. These tools support all major programming languages, including Java, C, C++, JavaScript, TypeScript, HTML, CSS, SASS, C#, Objective-C, Python PHP.
The Path Forward
Writing secure codes can be challenging. It is well known that developers are the ones who introduce many of the known vulnerabilities into a code, opening an application or program to all sorts of cyber risks in its life cycle. By following a few best practices, they can minimize the risk of errors and make future software and applications more secure.
Do you think secure coding best practices can minimize vulnerabilities and the risk of data breaches? Comment below or let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!
