• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Protection of Information Assets

Temple University

Protection of Information Assets

MIS 5206.001 ■ Fall 2022 ■ David Lanter
  • HomePage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit #1: Understanding an Organization’s Risk Environment
      • Unit #2: Case Study 1 – Snowfall and stolen laptop
      • Unit #2: Data Classification Process and Models
      • Unit #3: Risk Evaluation
      • Unit #4 Case #2: Autopsy of a Data Breach: The Target Case
      • Unit #5: Creating a Security Aware Organization
      • Unit #6: Physical and Environmental Security
    • Second Half of the Semester
      • Unit #8 Case Study 3 – A Hospital Catches the “Millennium Bug”
      • Unit #9: Business Continuity and Disaster Recovery Planning
      • Unit #10: Network Security
      • Unit #11: Cryptography, Public Key Encryption and Digital Signatures
      • Unit #12: Identity Management and Access Control
      • Unit #13: Computer Application Security
  • Deliverables
    • Weekly Deliverables
      • “In the News” Articles
      • Answers to Reading Discussion Questions
      • Comments on Reading Discussion Question and Other Students’ Answers
    • Case Studies
    • Team Project

Question 2

November 9, 2022 by David Lanter 21 Comments

What are secure coding practices and what risks are they intended to mitigate?

Filed Under: Unit 13: Computer Application Security Tagged With:

Reader Interactions

Comments

  1. Frank Kofi Kpotivi says

    November 12, 2022 at 12:53 pm

    Developers should adhere to a set of rules called “secure coding practices” when creating programs. They are made to reduce risks by assisting in the prevention of frequent coding errors that can result in security flaws.

    Buffer overflows, SQL injection, and cross-site scripting are the most prevalent threats that safe coding techniques are designed to reduce (XSS). When a programmer tries to put more data in a buffer than it is intended to hold, a buffer overflow occurs. Data corruption and the execution of malicious code by attackers are both risks of this. When an attacker enters malicious SQL code into a web application in order to access sensitive data, SQL injection happens. XSS happens when an attacker inserts malicious code into a web page, which the user’s browser then executes. The attacker may then be able to redirect the user to a malicious website, steal cookies or session information, or even run arbitrary code on the victim’s computer.

    By educating developers on how to build more secure code, secure coding standards can aid in preventing these kinds of attacks. Developers should, for instance, check user input at all times to make sure it is in the desired type and format. To avoid SQL injection, they should also use prepared statements while working with databases. Additionally, programmers should refrain from employing unsafe coding techniques like eval() or coming up with their own encryption algorithms.

    Log in to Reply
    • Aayush Mittal says

      November 13, 2022 at 10:08 pm

      Thanks for the details Frank. I really appreciate you explaining all the terms with your answer and indeed “educating developers” is very important. Further, they should also know the application functionality in and out, so that they can apply their knowledge base of secure coding practices appropriately while developing the application.

      Log in to Reply
    • Nishant Shah says

      November 14, 2022 at 12:28 am

      Nice summary Frank! Educating developers is very important so they can develop secure software across all the platforms. With the proliferation of handheld devices there are too many apps out there that don’t necessarily consider all the security aspects. End users should also be educated not to install untrusted apk files even if they appear free as their personal and sensitive data is at a high risk for being siphoned out of their handheld devices.

      Log in to Reply
    • Chinenye Marylyn Akinola says

      November 14, 2022 at 1:34 am

      Interesting read Frank! In addition, security coding is also based on the best security practices recommended by the most recent industry standards for the system or application to create codes that can restrict the input and output of the program in order to stop attackers from inputting destructive codes in the system source code.

      Log in to Reply
    • Pranavi Yadalam Sekhar says

      November 16, 2022 at 10:07 pm

      Hi Frank ,
      Great summary , yes Data corruption and the execution of malicious code by attackers are both risks of this.

      Log in to Reply
  2. Sunam Rijal says

    November 12, 2022 at 7:55 pm

    Secure Coding Practices includes:
    Input: The application should know what is coming in. This helps to prevent system from Buffer overflow, Injection attacks and other type of vulnerabilities
    Design: The application should be structured and written with good flow and controls. This helps to avoid buffer overflow, race conditions and Script injection vulnerabilities
    Trusted Resources: Application should only call trusted resources and make sure that only valid data is passed to and received from external resources. This helps to mitigate command injection and XSS vulnerabilities.
    Limit Access: Application should limit access to the data only as needed for the program logic and processing. This helps to minimize risk of SQL injection, Data theft
    Output: The application should guard what is being sent out. This helps to mitigate script injections, format strings, buffer overflow.

    Log in to Reply
    • Frank Kofi Kpotivi says

      November 13, 2022 at 3:11 pm

      nice point Rijal, Secure coding techniques can reduce dangers, but they are not a panacea. The security risks that come with an application still need to be understood by developers, and efforts need to be taken to reduce those risks. Additionally, it is advisable to combine secure coding techniques with other security measures like firewalls, intrusion detection systems, and appropriate access control protocols.

      Log in to Reply
  3. Aayush Mittal says

    November 13, 2022 at 6:02 pm

    The threats due to vulnerabilities in application can be easily managed by proper discipline during the design and developmental stages. Used and implemented effectively, the security practices prevent errors that could compromise software security.
    Some of the secure coding practices and principles include but not limited to:
    – Programming Model
    – Input Validation
    – Program control and logic flow
    – Calling external routines
    – Limit data access
    – Handling Output

    Risks that are intended to be mitigated but not limited to:
    – Knowing what is coming to the application helps avoid Buffer flow, Script injection, SQL Injection, Format Strings vulnerabilities and Counter SPAM, etc.
    – Making sure that only valid data is passed to and received from external resources helps to avoid Command Injection/ Shell escape, and Cross-Site scripting vulnerabilities
    – Limiting the access to data helps to avoid SQL Injection, DATA theft etc

    SANS Reading 7: “Application Development Technology and Tools: Vulnerabilities and threat management with secure programming practices, a defense in-depth approach”

    Log in to Reply
    • Sunam Rijal says

      November 13, 2022 at 8:35 pm

      Hi Aayush,
      Great explanation. And I also agree that the points mentioned in the document are not only the risks there are more than those risks which may affect the system.

      Log in to Reply
    • Wei Zhang says

      November 16, 2022 at 4:17 am

      Hi Aayush,
      Thanks for your explanation. I would add some examples to secure coding practices, such as keeping an eye out for compiler warnings; Cleaning up data sent to other systems; Adhere to the principle of least privilege.

      Log in to Reply
  4. Nishant Shah says

    November 13, 2022 at 6:12 pm

    Secure coding practice is a consistent approach to understanding that the software codes need to be secure from known attacks and having controls in place to make the programs resilient to tampering. Risks are considered at the design phase using the What If analysis to ensure controls are put in place to prevent misuse and security breaches. Threat modelling can also be used to determine threats and vulnerabilities.

    In general, common secure coding practices includes not using known vulnerable libraries or methodologies with poor security implementation, setting up proper access configurations, configuring the boundaries and limits within with the program will operate, using input validations to restrict string length inputs, character type, etc., removing hooks or backdoors in the final version that may have been used during the testing period. Developed software needs to go through various tests such as misuse case testing, fuzzing, black box testing. Error handling and event logging is also crucial from security standpoint.

    Guidelines such as BSA, NIST SSDF, Microsoft SDL, OWASP top 10 can be referred to while developing secure software.

    Log in to Reply
  5. Chinenye Marylyn Akinola says

    November 14, 2022 at 1:32 am

    A set of procedures known as “secure coding” adds security concerns to the coding and encryption of software in order to best protect it against cyberattacks or other flaws. The majority of frequently exploited software vulnerabilities result from defects, bugs, and logical flaws, and security experts have found that the majority of vulnerabilities are caused by a relatively small number of typical programming mistakes.

    Security vulnerabilities in code and potential exploit faults that could be detrimental are risks that are reduced or eliminated by secure coding standards’ introduction of protections.

    Log in to Reply
    • Shadrack Owusu says

      November 16, 2022 at 11:30 pm

      In addition to providing security to software by reducing risks as you rightly stated, the development time is optimized.

      Log in to Reply
  6. Shadrack Owusu says

    November 14, 2022 at 5:04 am

    Secure coding practice is the process of writing code in a high-level language that follows strict principles, with the goal of preventing potential vulnerabilities. It also referred to as secure programming in other literatures. Secure coding standards are rules and guidelines used to prevent security vulnerabilities. Access control, enforcing strong encryption, secrets management, cryptographic practices, error handling and logging and data protection are some of the coding principle guidelines. Insecure code in critical industries such as, finance, healthcare, energy, and transport could result in financial and property damages, market manipulation and theft, physical harm, and fatalities. Denial of service to a single user, compromised secrets, damage to the systems of many users, loss of service and even loss of life can result from an insecure software. Secure coding practice is intended to mitigate some of the aforementioned risks.

    https://snyk.io/learn/secure-coding-practices/

    Log in to Reply
  7. Asha Kunchakarra says

    November 14, 2022 at 11:44 am

    Secure coding principles
    – The application should know what’s coming. This helps avoid buffer flow, script injection, SQL injection, Format Strings vulnerabilities and counter SPAM
    – The application should be structured and written with good flow and controls. This helps avoid buffer flow, race conditions, and script injection vulnerabilities.
    – the application should only call the trusted resources. they should make sure that the only valid data is passed to and received from external resources. This helps to avoid common injection/shell escape, and cross-site scripting vulnerabilities
    – the application should limit access to the data only as needed for the program logic and processing. This helps to avoid SQL injection, data theft…
    – the application should guard what is being sent out. This helps to avoid script injection, format strings, buffer overflow…

    Log in to Reply
  8. Mengqi Xiong says

    November 14, 2022 at 8:10 pm

    Secure coding practices are important to protect applications and prevent hackers from exploiting vulnerabilities. In most cases, developers introduce security risks into the source code they write simply because they are unaware of those risks. Therefore, using what-if analysis to test risk during the design phase ensures that the application is tested for security vulnerabilities before it goes into production. Without secure coding, cybercriminals will have easier access to your code, which they can use to grant them further access to sensitive data. The main principles of secure coding practices focus on details such as input validation, output encoding, access control, calling external routines, data protection, cryptographic practices, etc.
    Understanding the contents or status of the application could help developers better deal with risks or threats like buffer overflows, XSS, SQL injection, format strings, spam, etc. Applying secure coding principles would guide software development teams on how to conceive, develop, acquire, operate, and maintain the security of applications.

    Log in to Reply
    • Asha Kunchakarra says

      November 16, 2022 at 9:14 pm

      Great point you made by suggesting using what-if analysis to test risk during the design phase. This will help to see all the possible issues that it may cause and can help affectively asses the risk.

      Log in to Reply
  9. Elizaveta Ibeme says

    November 14, 2022 at 10:27 pm

    Secure coding practices are intended to mitigate such threat vectors as SQL injections, buffer overflows, access control flaws, and script Injections. Best practices include input validation, structured flow controls, Encapsulation, the principle of least privileges, and output monitoring. input validation is important to avoid script injection, SQL injection, or buffer flow. Input validation would include the removal of unnecessary parameters, data type validation, data length validation, etc. Program flow and data handling It’s important to prevent hackers from abusing poorly structured flows. For example, this may include proper handling of data, separation of program control and data, implementing the principle of least privilege, and avoiding race conditions. For secure program development, it is important to only reference external resources that can be trusted.

    Log in to Reply
    • Mengqi Xiong says

      November 16, 2022 at 11:55 am

      Hi Elizaveta,

      I like how you pointed out examples as “implementing the principle of least privilege”. Each process of a program should be executed with only the least privileges required to complete its work. This approach reduces the likelihood of an attacker executing arbitrary code with elevated privileges.

      Log in to Reply
  10. Wei Zhang says

    November 14, 2022 at 10:58 pm

    Most vulnerabilities originate in the source code of an application or program. It is easy for malicious users to exploit defects or errors in program code to take control of the program and use it for personal gain. Most common software security vulnerabilities can be mitigated by following well-established secure coding standards.
    Secure coding practices include:
    -Validate input
    -Heed compiler warnings
    -Architect and design for security policies
    -Keep it simple
    -Default deny
    -Adhere to the principle of least privilege
    -Sanitize data sent to other systems
    -Practice defense in depth
    -Use effective quality assurance techniques
    -Adopt a secure coding standard
    Adopting secure coding practices is important because it eliminates frequently exploited software vulnerabilities and prevents network attacks from occurring. In addition, optimizing security from the outset can help reduce the long-term costs that can result from the disclosure of sensitive user information through an exploit. In addition, secure coding practices help avoid the risk of buffer overflows, script injection, SQL injection, and access control defects.
    https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices

    Log in to Reply
  11. Pranavi Yadalam Sekhar says

    November 14, 2022 at 11:22 pm

    KISS (keep it simple, stupid) is the mantra to live by when it comes to secure programming techniques and security in general. Complex processes run the risk of producing inconsistent findings, or worse, being completely disregarded. You should use tried-and-true security and secure coding best practices rather than inventing the wheel. Among the numerous helpful resources provided by the OWASP Foundation is the OWASP Top 10, which lists the most prevalent security issues and serves as a useful starting point.

    One of the fundamental components of system security is access control, which includes authentication and permission.

    Another crucial element of maintaining the security of your system is the enforcement of robust encryption. To implement encryption, there are numerous freely accessible libraries that you may use, so you only need to written .
    However, it’s crucial to stick to using conventional libraries and algorithms. Additionally, make sure that only validated libraries are utilized whenever FIPS compliance is necessary.

    The management of secrets is yet another crucial security step. Never hardcode or upload secrets like passwords or access keys to code repositories, whether or not you decide to utilize one of the many solutions available to assist you handle secrets.

    The aforementioned precautions will safeguard your system and serve as the first line of defense, but it’s also crucial to strengthen the security of your code.

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • Unit 01: Understanding an Organization's Risk Environment (5)
  • Unit 02: Case Study 1 – Snowfall and a stolen laptop (5)
  • Unit 02: Data Classification Process and Models (6)
  • Unit 03: Risk Evaluation (6)
  • Unit 04: Case Study 2 – Autopsy of a Data Breach – The Target Case (4)
  • Unit 05: Creating a Security Aware Organization (6)
  • Unit 06: Physical and Environmental Security (6)
  • Unit 08: Case Study 3 – A Hospital Catches the "Millennium Bug" (2)
  • Unit 09: Business Continuity and Disaster Recovery (6)
  • Unit 10: Network Security (6)
  • Unit 11: Cryptography, Public Key Encryption and Digital Signature (6)
  • Unit 12: Identity Management and Access Control (6)
  • Unit 13: Computer Application Security (6)
  • Welcome (1)

Copyright © 2023 · Course News Pro on Genesis Framework · WordPress · Log in