Security and Software Development: Secure Coding Standards

Algorithmic vulnerabilities are technical flaws in a manmade component, typically hardware and software. In software, the flaws can be design flaws or implementation flaws, commonly coding errors. Software infected with bugs has been a problem for decades, software engineering was invented to find ways to minimize them, and formal methods were invented to eliminate them, but attaining the goal has been quite elusive. In the preceding years, security issues have occasionally raised awareness of problems, notably buffer overflow attacks that were eventually resolved by improved coding techniques. SQL injection attacks are, in some ways, an evolution of buffer overflow and can also be prevented by proper coding.

Coding standards are a classic solution to the problem of preventing coding flaws from infesting new software. In many shops, the standards were used to assure maintainable software was produced. The typical standard consisting of a list of requirements to be applied by programmers when writing code. They were then enforced during code reviews and other activities linked to quality control.

The same approach can be applied to a list of techniques to prevent exploitable algorithmic vulnerabilities. Any number of authoritative sources are readily available, so generating a list of techniques is more a library exercise than a laboratory one. Further, consultancies specializing in advising on solutions can be easily found by simple Internet searches.

There are several advantages to creating and using an in-house standard. Involving programmers in researching, writing and reviewing the standard helps overcome resistance and generate a sense of ownership. Also, language-specific issues can be focused on, ensuring the result is appropriate to the environment.

A coding standard should be regularly reviewed to ensure it remains fit for purpose, as new attacks appear that focus on previously unrecognized vulnerabilities, the Standard needs to be updated to address techniques to prevent the vulnerabilities, minimizing the new risks.

Vulnerability scanners have been in use for at least a quarter century. Scanners specializing on applications are available and are useful in identifying problems.

Secure coding standards provide agreed requirements used in the software development lifecycle, usually in the coding and testing activities. Test Plans should provide procedures for testing based on the standard's requirements.

Application programming in not often thought of as being relevant to security; this is an oversight, as it certainly is very important. Secure coding standards corrects this error by providing requirements for avoiding exploitable algorithmic vulnerabilities from appearing in new code and systems.

free design software USB Storage HP Wireless Printer

Labels: , , , , , Posted by tun at 4:00 PM  

Agregar a marcadores favoritos:
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks
  • Agregar a otro servicio

Danos tu comentario

Post a Comment

Subscribe to: Post Comments (Atom)

Home |Design by Blogger