Professional Documents
Culture Documents
SSD
Secure
P E S
C r e a ti o n s
Sonia Rafaqat
Secure Software Development 2
Sonia Rafaqat
Secure Software Development 3
Secure software design and architecture refer to the practice
of incorporating security principles and considerations into
the design and structure of software systems. It involves
implementing robust security controls, mechanisms, and
architectural patterns to protect against potential threats
and vulnerabilities.
Defense in Depth
Approach
Secure Software Development 8
Sonia Rafaqat
Secure Software Development 9
Sonia Rafaqat
www.website.com 10
Secure
Architecture
Patterns
Secure Software Development 11
Sonia Rafaqat
Secure Software Development 12
Sonia Rafaqat
Secure Software Development 13
Sonia Rafaqat
Secure Software Development 14
Sonia Rafaqat
Secure Software Development 15
Sonia Rafaqat
Secure Software Development 16
Secure Coding!
Secure coding refers to the practice of writing software code that is robust, resilient, and resistant to potential
security vulnerabilities and attacks. It involves implementing security best practices and adhering to secure coding
guidelines to minimize the risk of introducing vulnerabilities into software systems.
The importance of secure coding cannot be overstated. Here are some reasons why it is crucial:
Vulnerability Prevention: Secure coding helps prevent the introduction of vulnerabilities that could be
exploited by attackers to compromise the confidentiality, integrity, or availability of software systems. By following
secure coding practices, developers can minimize the risk of common coding errors and vulnerabilities.
Risk Mitigation: Software vulnerabilities can lead to significant financial losses, reputational damage, and legal
consequences for organizations. Secure coding reduces the risk of security breaches, data breaches, and other
security incidents, thereby mitigating the potential impact and associated costs.
Sonia Rafaqat
Secure Software Development 17
Secure Coding!
Compliance Requirements: Many industry regulations and standards, such as the Payment Card Industry Data
Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA), require organizations
to follow secure coding practices. Compliance with these standards is crucial for organizations to operate legally and
maintain the trust of their customers.
Trust and Customer Confidence: Secure coding instills trust and confidence in users and customers. When
software systems are built with security in mind, users are more likely to trust the system with their sensitive data
and rely on its functionality. This enhances the reputation of the software and the organization behind it.
Before going into the details of secure coding practices, let’s have a look at some common coding vulnerabilities.
Sonia Rafaqat
Secure Software Development 18
Coding Vulnerabilities!
Coding vulnerabilities refer to weaknesses or flaws in software code that can be exploited by attackers to
compromise the security and functionality of an application. These vulnerabilities can lead to security breaches, data
leaks, and unauthorized access to sensitive information. Let's discuss some common coding vulnerabilities in detail
along with examples:
Injection Attacks:
Injection attacks occur when untrusted data is inserted into a code statement, allowing attackers to manipulate the
intended behavior of the code. The most common types of injection attacks are SQL injection and OS command
injection.
Example - SQL Injection:
Consider the following code snippet that constructs a SQL query by concatenating user input:
String query = "SELECT * FROM users WHERE username = '" + userInput + "' AND password = '" + password + “’”;
If the user input is not properly validated and sanitized, an attacker can input ' OR '1'='1' as the user input. This input
would modify the query to retrieve all records from the users’ table, bypassing the intended authentication
mechanism.
Sonia Rafaqat
Secure Software Development 19
Coding Vulnerabilities!
Cross-Site Scripting (XSS):
XSS vulnerabilities occur when untrusted data is displayed on a web page without proper sanitization, allowing
attackers to inject malicious scripts. These scripts can steal user data, manipulate page content, or perform
unauthorized actions.
Example:
Reflected XSS: Consider a website that displays user search queries in the search results page without proper
sanitization:
<h3>Search Results for: <%= userInput %></h3>
An attacker could input a malicious script as the user input, which would then be executed in the victim's browser
when they view the search results page.
Sonia Rafaqat
Secure Software Development 20
Coding Vulnerabilities!
Cross-Site Request Forgery (CSRF):
CSRF vulnerabilities occur when an attacker tricks a victim into performing unintended actions on a web application
using the victim's authenticated session. This can lead to unauthorized actions, such as changing account settings or
making financial transactions.
Example: There is a popular online banking website called "BankABC" that allows users to transfer funds between
their accounts. When users want to transfer money, they need to visit the BankABC website, log in with their
credentials, and initiate the transfer from their account to another account. Now, imagine a malicious website called
"EvilSite" created by an attacker. The attacker knows that many BankABC users also visit EvilSite. The attacker wants to
exploit the trust between BankABC and its users to perform unauthorized transfers. Here's how the attack unfolds:
1. The attacker, knowing the structure of BankABC's transfer request, creates a hidden form on EvilSite with pre-filled values. This
form includes fields such as the recipient account number, the amount to transfer, and a submit button.
2. The attacker entices a BankABC user to visit EvilSite. This could be done through various means like sending phishing emails,
enticing social media posts, or even embedding the malicious form on a compromised legitimate website.
Sonia Rafaqat
Secure Software Development 21
Coding Vulnerabilities!
3. When the BankABC user visits EvilSite, the hidden form is automatically submitted using JavaScript without the user's
knowledge. The user's browser, since it's still authenticated with BankABC, includes the user's session cookie in the request to
BankABC.
4. BankABC's server receives the request and sees that it contains a valid session cookie, indicating it's coming from an
authenticated user. It processes the request as if it was initiated by the user and transfers the specified amount to the
attacker's desired recipient account.
5. The user, unaware of the attack, continues browsing EvilSite or leaves the website.
Insecure Direct Object References (IDOR):
Insecure Direct Object References occur when an application exposes internal references, such as database keys or file names, in URLs
or parameters. Attackers can manipulate these references to access unauthorized data or perform unintended actions.
Example:
Suppose a web application uses a URL like http://app.com/profile?user_id=123 to display user profiles. If there are no proper access
controls in place, an attacker can modify the user_id parameter to access other users' profiles, potentially exposing sensitive
information.
Sonia Rafaqat
Secure Software Development 22
Coding Vulnerabilities!
Security Misconfigurations:
Security misconfigurations occur when software or systems are not properly configured, leaving them vulnerable to
attacks. These vulnerabilities can include default or weak passwords, unnecessary open ports, or outdated software
versions.
Example:
Leaving the default administrative username and password unchanged on a web-based management interface exposes
the system to unauthorized access. Attackers can easily guess or discover the default credentials and gain complete
control over the system.
These are just a few examples of common coding vulnerabilities. It is crucial for developers to be aware of these
vulnerabilities, follow secure coding practices, and implement proper input validation, output encoding, and access
controls to mitigate the risk of these vulnerabilities in software applications.
Sonia Rafaqat
Secure Software Development 23
Sonia Rafaqat
Secure Software Development 24
Sonia Rafaqat
Secure Software Development 25
Sonia Rafaqat
Secure Software Development 26
By following these secure coding principles and practices, developers can significantly reduce the risk of introducing
vulnerabilities into their software applications. It is important to incorporate these practices into the entire software
development lifecycle, from design and implementation to testing and maintenance, to ensure the overall
Sonia Rafaqat
S e c u r e S o ft w a r e D e v e l o p m e n t 28
SSD
Thanks
P E S
C r e a ti o n s
Sonia Rafaqat