CYBERSECURITY
Coders: You Shouldn’t Be Writing Another Line Of Code Until You Understand These Things
Or… The most overlooked parts of cybersecurity that you probably haven’t heard of — but you definitely need to be aware of.
TL;DR¹
Be nice to your team, your company, your ‘friendly’ DevSecOps / DevOps / SecOps people (the list of acronyms is probably larger now). Don’t just read the OWASP top 10 — understand it, and implement it into your day to day coding practices.
Table Of Contents
Security Begins At Home
↳ The eggshell problem
The Current Top 10
↳ 1. Broken Access Control
↳ 2. Cryptographic failure
↳ 3. Injection
↳ 4. Insecure Design
↳ 5. Security Misconfiguration
↳ 6. Vulnerable and Outdated Components
↳ 7. Identification and Authentication Failures
↳ 8. Software and Data Integrity Failures
↳ 9. Security Logging and Monitoring Failures
↳ 10. Server-Side Request Forgery (SSRF)
Finally
Security Begins At Home
If you are truly a software engineer² then it is your responsibility to not only deliver the feature and functionality to work, to be performant, and to be open, but you must also understand the security flaws that you can let into your code.
One of the best places to start is the OWASP Top 10 — from their site:
“The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.”
They provide information, tools, and techniques to guide people in creating more secure code and websites. And with the litany of data breaches that keep on occurring, now is the best time to understand the common attacks.
Common attacks can be used both by highly dedicated hacking outfits, and script kiddies alike — but at least by understanding the top 10 — you will be able to reduce the attack vector and hopefully dissuade those who are just ‘testing the boundaries rather than those that truly wish to
The eggshell problem
In security terms — the eggshell problem describes security which is hardened around the edges — but all soft and gooey and accessible in the middle — just like an egg.
This comes from the belief that if you can stop attackers at the edge of the network, then you won’t need to do much else. Nice in theory, however, if anyone gets through the outer defences, then the rest of the systems are open to attacks.
The Current Top 10
At a minimum, all engineers and testers should be aware of the OWASP Top Ten and understand how to securely code any site, API, or application. If you or anybody on your team, doesn’t know about this — then you absolutely need to
1. Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. This is made worse by people not understanding what users should be able to do:
Ask this question: Who should be able to use this feature?
2. Cryptographic failure
(previously known as ‘Sensitive Data Exposure’)
Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
Ask this question: How is data that I am using or returning encrypted?
3. Injection
Tricking the interpreter to execute a command it wasn’t supposed to when talking to SQL, NoSQL, OS, and LDAP sources.
Does anybody remember ‘Little Bobby Tables”? (https://xkcd.com/327/)
Ask this question: Am I sanitising input and preparing my queries for the data store?
(If you don’t know what a prepared statement is — then this one is for you)
4. Insecure Design
There is a difference between insecure design and insecure implementation with different root causes and remediation.
Ask this question:
5. Security Misconfiguration
(this now includes the former ‘XML External Entities (XXE)’)
Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Ask this question: Which security expert is configuring these things — or checking the work that I am doing?
6. Vulnerable and Outdated Components
(previously known as ‘Using Components with Known Vulnerabilities’)
Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.
Ask this question: When was the last time the versions were checked?
(And why isn’t this automatically checked and monitored already…?)
7. Identification and Authentication Failures
(previously known as ‘Broken Authentication’)
Authentication and session management are often implemented incorrectly allowing attackers to compromise a wide range of things.
Ask this question: Who is implementing the authentication and authorisation protocols?
8. Software and Data Integrity Failures
(this now includes the category ‘Insecure Deserialization’)
Where code or infrastructure does not protect against integrity violations — i.e. it allows arbitrary access to less than trusted resources.
Ask this question: Who is checking what is getting included in the codebase, and what can be accessed by the codebase?
9. Security Logging and Monitoring Failures
(previously known as ‘Insufficient Logging & Monitoring’)
Most breach studies show time to detect a breach is over 200 days, and without adequate logging, monitoring, and alerting- incident response time is severely hampered.
Ask this question: Am I logging enough in my code? Where is the dashboard that I can see it? What is the monitoring and alert setup for this?
10. Server-Side Request Forgery (SSRF)
This occurs whenever a web application fetches a remote resource without validating the user-supplied URL.
Ask this question: For any resource that is being requested — how am I validating that it is a trusted source?
Finally
No one coder is going to be an expert on total security for the application, infrastructure, build pipeline etc.
The OWASP Top Ten is updated intermittently (the previous update was in 2021), so every coder should be aware of any new updates when the next list comes out (generally every 4 years).
Hello: If you enjoyed this article, the “clap” — 👏 — button below awaits you. Want to know a secret? You can press and hold it, so it goes up to 50 which is their version of a standing ovation.
Read more of what you love — Sign up to Medium — it is FREE, easy, and quick.
Colophon
I learned about the OWASP Top 10 late in life —thankfully I was lucky enough to be mentored by some truly excellent people which meant that the coding practices that I was implementing were generally secure.
But when it comes to security — it really is never enough.
Footnotes:
¹ a TL;DR section is included in every article, so that the main points are highlighted, you get to decide whether this story is of interest, and quickly move on if there is nothing there for you [source: Too long, didn’t read — TL;DR]
² I will leave the rant about the differences between a coder and a software engineer for another time.
