Wednesday, May 6, 2020

Secure Coding and Testing Practices

Secure Coding Practices

  • Validate input.
    • Conduct all data validation on a trusted system (e.g., The server)
    • Validate input from all untrusted data sources.
  • Architect and design for security policies. 
  • Default deny.
  • Error Handling and Logging
  • Adhere to the principle of least privilege.
  • Communication Security
    • Implement encryption for the transmission of all sensitive information
  • Sanitize data sent to other systems. 
    • Sanitize Data: The process of making potentially harmful data safe through the use of data removal, replacement, encoding or escaping of the characters.
  • Practice defense in depth.
  • Use effective quality assurance techniques.
  • Adopt a secure coding standard.
  • Define security requirements. 
  • Model threats.
  • System Configurations
    • Ensure servers, frameworks and system components are running the latest approved version
  • Database Security:
    • Use strongly typed parameterized queries
    • Utilize input validation and output encoding and be sure to address meta characters. If these fail, do not run the database command
    • Remove unnecessary default vendor content (e.g., sample schemas)
  • Memory Management:
    • Utilize input and output control for un-trusted data
    • Double check that the buffer is as large as specified
  • Authentication and Session Management
    • Authentication required by an application should be tied directly to the level of sensitivity
    • Developers should use established methods for session management

Software Testing

  • Code Review
  • Static Testing
    • It involves the use of automated tools designed to detect common software flaws, such as buffer overflows.
  • Dynamic testing
    • It evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.
  • Fuzz testing
    • It is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.
    • Mutation (Dumb) Fuzzing
    • Generational (Intelligent) Fuzzing Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
  • Interface testing 
    • It is an important part of the development of complex software systems. Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.
    • Application Programming Interfaces (APIs)
    • User Interfaces (UIs). Examples include graphic user interfaces (GUIs) and command-line interfaces. Interface tests should include reviews of all user interfaces to verify that they function properly.
  • Physical Interfaces. 
    • This exists in some applications that manipulate machinery, logic controllers, or other objects in the physical world.
  • Misuse Case Testing
  • Test Coverage Analysis. estimate the degree of testing conducted against the new software
    • Branch coverage: Has every if statement been executed under all if and else conditions?
    • Condition coverage: Has every logical test in the code been executed under all sets of inputs?
    • Function coverage: Has every function in the code been called and returned results?
    • Loop coverage: Has every loop in the code been executed under conditions that cause code execution multiple times, only once, and not at all?
    • Statement coverage: Has every line of code been executed during the test?


No comments:

Post a Comment