Secure Coding

Chukwudi WowoChukwudi Wowo
2 min read

Secure Coding is a part of the Secure Software Development Lifecycle (SSDLC) and it speaks to ways vulnerabilities in code can be mitigated against attacks.

Common coding flaws include:

  1. Buffer Overflow: Buffer can be defined as temporary memory used to store data. Memory is stored in either the stack (static memory allocation) or heap (dynamic memory allocation)

    Buffer Overflow occurs when this memory is overridden to allow a sort of spill of data ie it takes advantage of improper user input or reads. Buffer overflows are used to overwrite the return address of the next piece of code that should be run after thereby allowing the attacker to place and run shell code on the stack.

    Mitigations:

    1. Use fixed size functions as this helps to prevent overflow ie writing beyond the means of the buffer

    2. Use built-in libraries: These libraries eg Python and co take away the control of buffers from you and manages it themselves so you don’t have to worry about its allocation

    3. Stack canaries: These are values only known to the code before the return value so if its different from what it is supposed to be, an exception is thrown.

  2. Command Injection: This occurs when an attacker injects a malicious code to run a command. It takes advantage of poor user input validation. An example of vulnerable code is when the developer doesn’t block code terminator ; in the user input. An attacker could start his input with ; terminating the previous code to run theirs next.

    Mitigations:

    1. Quoting: Escape characters so they are read as data not code when inputted.

    2. Validate user input: You could do this by whitelisting (allow only certain characters), blacklisting (block certain characters).

  3. Race conditions: This occurs when a system depends on the timing and sequence of events. So a vulnerablity can happen when a function expects all its processes to run at once instead of in parallel which could lead to DoS.

    Mitigation:

    1. Using reentrant programming: Reentrant programming is when a function can be safely interrupted and resumed again. Non-reentrant programming causes race conditions.

Others include format string vulnerability, least privilege, insecure deserialization, insecure credential management etc.

The OWASP Top 10 is a good starting point to learn more about the most critical security risks or flaws to web applications.

0
Subscribe to my newsletter

Read articles from Chukwudi Wowo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ssdlc

Written by

Chukwudi Wowo
Chukwudi Wowo