15 secure coding practices to use in digital identity

Secure coding of any application or service is important, but it is vital in systems that process personal data.

Current Job Listings

When software analysis firm CAST analyzed 1380 software applications they found a whopping 1.3 million software vulnerabilities in the code.

Anyone reading CSO will know that software flaws give cybercriminals an open door.

Identity management is arguably the most at risk service of all technology disciplines. Identity theft stalks us all. Javelin Research has reported on identity theft for a number of years now and their research shows that it continues to plague the industry. In its 2018 Identity Fraud report, advisory firm Javelin described 2017 statistics as being at a “record high.”

In identity management, we often talk about “weaponizing identity.” This means hardening the system across access points and where users interface with the service. However, the process to weaponize needs to be layered and one such layer is at the code level.

Secure coding for identity management

Digital identity platforms can be very complex, as they often have to rely on external data sources and integrate with third-party APIs. Consumer versions of identity and access management (IAM) can be even more complex. They may require extended functionality to upload, store and share documents and images. Many identity services also incorporate, or are entirely based on, mobile device apps. It is not enough to rely on the inherent security of the protocols that communicate across the components of an identity ecosystem. The underlying code must be as secure as possible without restricting the functionality of this ecosystem.

Here are some of the best secure coding practices to use when developing an identity platform.

1. Use good resources: Start with the secure coding 101 resource, Open Web Application Security Project (OWASP). OWASP is the de facto, go-to resource for secure coding. Their “Quick Reference Guide” for secure coding is a great place to start and to use as a double-check tool during development. Use their resources liberally.

2. Use defensive programming techniques. This helps to avoid exploitable bugs. An example is in equivalence comparisons: put the constant first. This will trigger an error at compile or run-time if you accidentally write equals in place of the equality operator. For example:

// poor practice:
if ($result == 'SUCCESS') {
// better - if “==” mistyped as “=” get runtime or compile error
 if ('SUCCESS' == $result) {

3. Sanitize data: Digital identity, especially systems for consumers, will often call out to external data sources. All data from external sources or that supplied by a user should be untrusted. For web clients this includes data obtained from query string or hash parameters, cookies, local storage, etc.; for server-side apps this includes data supplied via POST, GET, cookies, etc. Native apps often read configuration files, which may be deliberately tampered with.

In all cases, the first line of defense is sanitization:  check that only the permitted characters/format has been included. This includes ensuring that maximum data field lengths are checked to avoid buffer overflow attacks. 

Another area that is important to security check in a digital identity platform is image upload. Images are becoming more important in IAM and CIAM services as data stores increasingly store and share photos of identifying documents. User upload of files, such as images, can be particularly dangerous. These must be rigorously checked to ensure they really are images and don’t have hidden executable content.  

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.