What is Secure Coding?
July 15, 2019

What Is Secure Coding?

Security & Compliance
Coding Best Practices

What Is Secure Coding?

Secure coding is the practice of writing software that's protected from vulnerabilities. 

And secure coding is more important today than ever before.

Why Secure Coding Is Important

Secure coding is important for all software — whether you write code that runs on mobile devices, personal computers, servers, or embedded devices.

So, you should become familiar with the techniques and tools to support this practice.

Risks of Insecure Software

An insecure application lets hackers in. They can take direct control of a device — or provide an access path to another device.

This can result in:

  • Denial of service to a single user
  • Compromised secrets.
  • Loss of service.
  • Damage to the systems of thousands of users. 
  • Loss of life. 

Types of Security Vulnerabilities That Affect Code

Buffer Overflow

Embedded systems are becoming more connected to the outside world — through IoT. And that means there are more opportunities for malicious code attacks. One example is buffer overflows.

Like injection attacks, buffer overflows also allow an external attacker to ‘put’ code or data into a system. If done correctly, it opens up that system to further instructions from the outside. 

Well-Known Example: Heartbleed

Heartbleed is probably the most widely publicized security vulnerability to date. It affected so many machines in the Internet domain (the OpenSSL package). And it had a potential direct impact on all of us.

Heartbleed is an example of a buffer overread defect. This means that a malicious attacker from the outside could read data from the system that should not be exposed. You can get all the gory details about Heartbleed here.

Code Injection Flaw

Code injection flaws are another common security vulnerability. This exploits a bug caused by processing invalid data. This is one form of injection attack that you can defend against. 

Well-Known Example: Shellshock

Shellshock is the result of a well-known code injection flaw. It's an example of a code injection flaw, where arbitrary code can be executed on a remote system to perform malicious activities.

Most embedded systems are less prone to attacks like Shellshock. They don’t provide “sophisticated” interfaces for exposure, such as Bash shells.

3 Secure Coding Practices

1. Don't Leave Security Until the End

Don't leave security until the end of development. 

Adding a deadbolt to a door made out of cardboard won’t make it more secure. In the same way, an insecure device or application may require extensive redesign to become secure.

It's not just a matter of adding a lock. 

Related Blog: 3 Best Practices for Secure Software Development

2. Consider the Motive for Attack

Hackers Weren't Always Bad...

The term "hacker" usually carries negative connotations.

But within the computing community, the term refers to an expert coder. It's someone who likes the challenge of examining the intricacies of code or an operating system.

So, in general, hackers are not malicious or criminals. Often when hackers find security vulnerabilities in code, they provide information to the organization that’s who wrote the software. They help to fix the problem. Some companies are now even offering a bounty reward to hackers who find bugs in their software.

However, some hackers publish the vulnerabilities. Or even devise and publish exploits (code that takes advantage of the vulnerability).

Attackers Have Motives

Attackers have a variety of motives.

Some may be looking to steal money, information identities, and other secrets for personal gain. They may be looking for corporate secrets for their employer’s or their own use. Or they might even be looking for state secrets to be used by hostile governments or terrorist organizations.

Some hackers break into applications or operating systems just to demonstrate their skills and gain bragging rights.

Nevertheless, they can cause considerable damage. Because attacks can be automated and replicated, any weakness, no matter how slight, can be exploited.

So, you need to identify and understand the nature of the threats to your software. Then, you can address them. 

Related Blog: How to Prevent Malicious Code

3. No One Is Safe

Devices and applications are constantly under attack.

Black hat hackers find new vulnerabilities and publish exploit code. Criminals and malcontents then use that exploit code to attack vulnerable systems. And the hackers have an increasingly easier time finding devices to attack.  

Major attacks of viruses or worms get a lot of attention from the media. It doesn't need to be a massive attack to cause monetary and other damages, either. A single break in a device often goes unnoticed. But it can have a significant impact on a person or business.

Related Blog: CWE List & CERT Secure Coding Standards

Make Sure Your Code Is Secure

Secure code protects your software. 

That's why it's important to incorporate secure coding practices throughout the planning and development of your product. Using secure coding standards — such as CERT — is key. 

This is especially important for embedded systems developers. Learn how to incorporate security practices into your code. 

How to Improve Embedded Systems Security