Software security for developers

Secure software development means consideration in every phase. Here are 9 key software security principles plus practical advice from a developer's point of view.

1 2 3 Page 3
Page 3 of 3
  • Implement role-based access control to assign permissions to application users.
  • Perform consistent authorization checking routines on all application pages. (If possible, this should be defined in one location and called or included on each page.)
  • Where applicable, apply DENY privileges last, and issue ALLOW privileges on a case-by-case basis.
  • Never rely on security through obscurity—assume that attackers will be able to guess secret details.
  • Log all failed access authorization requests to a secure location and make sure that these logs are reviewed regularly.

Error Handling

The goal of error handling and messages is to provide feedback when something unusual happens. Error messages appear as two types:

  • User error messages

    —Provide feedback to users

    —Help the user interact with the application properly

    —Cover business logic errors and interaction errors

  • Developer error messages

    —Provide feedback to developers and administrators

    —Help the developers detect, debug, and correct bugs

    —Include technical details, logs, and status messages

Testing

Conclusion

Software security is one of those legacy problems that will not be solved overnight. It requires your active diligence, vigorous participation, ongoing awareness and evangelism, continuing education, and determination to make any dent in the problems.

By addressing all the phases of the Software Development Life Cycle with the principles of secure and resilient software you're well on your way to improving the overall software security problem and you become a model for your peers to emulate and thus further improve the situation for your organizations, your community and your business sector. Together we can work to solve these problems, learn from one another, and help each other to put an end to the problems that have plagued information technology from the very beginning.

References

  1. Spafford, G., The Importance of Change Advisory Boards, Datamation, 03/10/04, http://itmanagement.earthweb.com/cio/article.php/3323101, retrieved Sep. 26, 2009.
  2. http://cwe.mitre.org/data/definitions/20.html, retrieved Dec. 5, 2009.

Copyright © 2010 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Make your voice heard. Share your experience in CSO's Security Priorities Study.