We live in a world defined and shaped by software. When you break down software into what it is and how it works, it boils down to code.
You might say that computer code is like software’s DNA, and therefore the building blocks of the increasingly digitised world we occupy. The source code of any given application dictates everything it does – how it functions, how it behaves in relation to the piece of hardware it is running on, how it interacts with other programmes.
Code can therefore be used to shape and manipulate every aspect of the way software behaves and performs – including how we keep it safe and secure.
As well as being shaped significantly by software, we also live in a highly networked world – one where individual applications form part of a vast interconnected web we call the internet for shorthand.
This level of connectivity enables the benefits we get from individual software programmes to multiply many times over through mutually complementary interaction – the so-called network effect, a key characteristic of digitalisation.
But it also allows malicious actors and malware to move through cyberspace from one application to another, exploring for vulnerabilities in multiple systems, spreading contamination across the boundaries of individual programmes.
Some of the biggest ‘hacks’ and data breaches yet recorded have resulted from the exploitation of vulnerabilities in software. The 2017 WannaCry ransomware attack, for example, spread worldwide using a weakness in a Windows server protocol.
When we talk about major attacks like this and the tens of thousands of infected or compromised computer systems, there’s obviously a lot of focus on the economic and operational damage that can cause. What sometimes gets forgotten is that all of this is happening at the level of code.
Cybersecurity has become a multi-billion dollar industry. But arguably the best way to shut down the threats posed by cybercrime – or at least on one the major threat vectors – is to address the vulnerabilities found in tens of thousands of software programmes. And that means coding with security in mind.
Common software vulnerabilities
The Open Web Application Security Project, or OWASP, takes a lead in formulating and disseminating secure coding best practices. It also publishes an annual list of the Top 10 Web Application Security Risks, most of which can be countered directly through programming. The latest list includes:
- Injection flaws, such as SQL, NoSQL, OS, and LDAP injection.
- Broken Authentication and Access Control functions.
- Insufficient protection of sensitive data.
- Security misconfigurations resulting from over-reliance on default configurations, incomplete or ad hoc configurations, open cloud storage and more.
There is a simple challenge to developers here. These vulnerabilities cost employers, clients and end-users, they cause major reputational damage and potentially put organisations at risk of sanctions for breaching data protection regulations. Through more secure coding, the threats such weaknesses open the door to could be significantly reduced.
Principles of secure coding
What it takes to code applications so they contain fewer security vulnerabilities can be broken down into five key principles:
Security by design
Security has been treated as an afterthought in software development for too long, perhaps because cybersecurity only became a significant issue long after programming practices had been formalised and working cultures embedded.
But if you really want to avoid vulnerabilities that are intrinsic to the programme itself, security has to be front and centre from the very start of the development process. To stop software reaching release containing faults with data protection and input validation, authentication, error handling and logging, you have to design the programme architecture accordingly.
Keep it simple, stupid (KISS)
KISS is a design principle which boils down to the maxim that the more complex a product or system is, the more likely it is that it won’t be used properly. Parachuted into software design, we can say that the more complex an application is, the more likely it is that some little loophole will be left open that no one even thought about.
There is a lot of pressure in modern software development to release new products at great speed, and it can therefore be very tempting for developers to take shortcuts. You might, for example, be tempted to cut back on how thoroughly you test a programme before you go live, but this can easily lead to obvious vulnerabilities being missed. Embracing Agile and DevOps practices can help to optimise the balance of speed and diligence.
Something else to be aware of is the wholesale use of open source code libraries. Developers love them because they save so much time, but you should know exactly what you are adding to your own code. Do your research and make sure you’re not blindly picking up a script with known vulnerabilities.
Automation is another invaluable tool in making sure you can test products thoroughly without holding up release cycles. But automation has an even broader role to play in shutting down potential vulnerabilities. By adding automated monitoring scripts directly to an app – scripts to scan for potential XSS or SQL injection threats, for example – you can give your programme a certain amount of autonomy in policing its own security.
Automation of key functions like server configuration in cloud environments also removes the risk of human error and supports rolling out fully secured programmes at scale.
Finally, the most valuable asset any application or IT system contains is data. This is the gold cybercriminals are after, this is why they look for ways to sneak or break or trick their way into systems through software vulnerabilities and other means.
Encryption is by some distance the most effective way to protect data contained within or used by an application – if done correctly. Cryptography can be a challenging art to get right, but embed it into your app development, and you go a long way to thwarting cyber criminals.