The power of secure code in protecting digital environments

The full article was first available on Forbes - read it here.

Software security stands out. Not a day goes by without some or other cybersecurity risk, penetrating hack, system infringement or wider system compromise happening. But this is not a cyber risk story, this is an opportunity to look beneath the malicious ransomware alerts and question the software application development processes that build our apps in the first place - this is the road to secure code.

In a world where Venture Capital (VC) investments into cybersecurity startups are both vibrant and widespread, should we at some point be standing back to question the programming function to analyse, quantify and qualify the steps we should be taking to safeguard systems and data in the first place?

Although organizations are investing in an array of infrastructure components, ranging from network-based intrusion detection systems and firewalls to exhaustive Software Bill Of Materials (SBOMs) processes that seek secure the supply chain, these technological advancements undoubtedly lay the groundwork for a secure environment, yet they constitute only a fraction of the equation.

The true strength of secure computing lies in the integrity of how the code behaves when faced with the reality of end users. This is the opinion of Alex Olivier in his position as product lead at Cerbos, a company known for its adaptive authorization technology.

The forgotten layer: code

“Secure code encompasses the implementation of coding practices and techniques that prioritize security - be it secure development practices or testing the application against areas in the latest Open Source Foundation for Application Security [reports], explained Olivier. “It involves writing code that mitigates vulnerabilities and proactively prevents potential exploits. Despite its pivotal role, secure code is often overlooked due to all the new security tools which say they can solve all your problems at the infrastructure level. However, underestimating the consequences of insecure code can provide insight into the potential for dire outcomes to result - data breaches, system compromises, and the erosion of trust within the secure environment are all possibilities just from a couple of lines of poorly written code that affect not only users but also the overall reputation of the organization.”

The presence of insecure code within enterprise applications clearly creates opportunities for malicious bad actors to exploit vulnerabilities. Unauthorized access, theft of sensitive information and even the compromise of an organization’s entire software stack and its related systems, applications and services become potential consequences.

“Consider a scenario where a financial institution inadvertently exposes customer data due to insecure code in its online banking application. This breach not only results in financial losses but also erodes customer trust, tarnishing the institution's hard-earned reputation. Likewise, an e-commerce platform that neglects proper user input validation opens itself up to breaches, as attackers inject malicious code capable of compromising the entire system. These instances serve as powerful reminders of the criticality of secure code in safeguarding applications and the sensitive data they handle,” said Olivier.

Five cornerstones

The Cerbos team offers five cornerstones to consider when an enterprise manages to be introspective enough to look at its code security stance. When programmers and their associated operations teams are doing a deep dive reviewing code, Cerbos points to comparatively common scenarios where a simple slip-up in logic can leave a system vulnerable:

• Input validation: Organizations need to meticulously ‘validate and sanitize’ all user input (in all live production applications and services) in order to prevent injection attacks and other security vulnerabilities.
• Secure session management: Every user’s login time for an application or data service (or anything that connects them to the corporate IT stack) can be defined as a ‘session’ of usage - this means that organizations need to implement robust mechanisms for secure session handling, including proper session timeouts, secure cookie settings and safeguards against session hijacking.
• Secure authentication: This one speaks for itself but it has to be said, firms need to utilize strong password storage techniques, embrace multi-factor authentication and shield against common authentication vulnerabilities, such as brute force attacks.
• Secure authorization: Once a user is authenticated, it is essential to define and enforce the actions they can or cannot perform within the system through a codified and auditable set of access controls.
• Secure error handling: Avoid exposing sensitive information in error messages and log files, and handle errors gracefully to prevent potential information leakage.

“In addition to these practices and regular code reviews with software application developers themselves, using tools built for vulnerability testing and penetration testing play pivotal roles in identifying and rectifying security flaws,” clarified Olivier. “By combining programmatic steps with human review of key areas you can reduce the risk of even the most complex systems.”

A collaborative effort

If any of these points sound a little high level and the sole preserve of the chief information officer, they shouldn’t i.e. developing secure code necessitates a collaborative effort involving developers, security teams and the business side of the house.

“Establishing secure coding standards, implementing secure design principles and conducting comprehensive security training programs for developers are all integral to ingraining secure code practices from the early stages of development. Fostering a culture of security awareness and accountability within the organization is equally crucial to ensuring that secure coding becomes an inherent part of the development process,” emphasized Olivier, in a statement that may be the most impactful of all comments made on this subject.

In the dynamic world of secure computing - if we can get there - it is imperative to recognize the indispensable role of secure code. From Olivier’s perspective, when a business works hard to prioritize secure coding practices, it can minimize vulnerabilities, enhance customer trust and establish a solid security foundation.

When our automobile or a household appliance breaks down we might think about blaming the manufacturer, when our software shows itself up as being brittle, flaky or unsecured, we might more directly think about the development process that led to its production and release.

The full article was first available on Forbes - read it here.