Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. Through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment.
As any seasoned security professional will tell you, it’s impossible to build bug-free, vulnerability free software. The name of the game in the security industry is risk mitigation. That is, reducing the risk to an acceptable level.It will identify some common mistakes made when developing software that lead to security vulnerabilities.
1. Buffer Overflow
2. Format String vulnerabilities
3. Authentication
4. Authorization
5. Cryptography
6. Double Free Attack
Best Practices For Secure Coding
1. Distrust User Input
2. Input validation
3. Magic Switches
Two excellent books on secure programming -
Writing Secure Code - is an excellent book on developing secure code with specific examples on the Win32 API and lessons learned from Microsoft.
Building Secure Software: How to Avoid Security Problems the Right Way - is more UNIX oriented, but teaches lessons on secure programming that all developers should know.
References:
Writing Secure Code -
http://msdn.microsoft.com/en-us/security/aa570401.aspx
Introduction to Secure Coding Guide - http://developer.apple.com/DOCUMENTATION/Security/Conceptual/SecureCodingGuide/SecureCodingGuide.pdf Defend
Your Code with Top 10 Security Tips Every Developer Must Know - http://msdn.microsoft.com/en-us/magazine/cc188938.aspx
Top 10 Secure Coding Practices - https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
How To: Perform a Security Code Review for Managed Code (Baseline Activity) - http://msdn.microsoft.com/en-us/library/ms998364.aspx
Secure Coding Principles -
http://www.owasp.org/index.php/Secure_Coding_Principles
Fundamentals of Secure Software Development - http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf
"Secure Coding in C and C++" A Linux.SYS-CON.com Interview With Robert Seacord - http://linux.sys-con.com/node/158854
CERT Secure Coding Standards - https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards
Security Code Review- Identifying Web Vulnerabilities - http://www.infosecwriters.com/text_resources/pdf/Code_Review_KMaraju.pdf
Twelve rules for developing more secure Java code -
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html
Open Web Application Security Project - http://www.owasp.org/index.php/Main_Page
