Skip to content

Latest commit

 

History

History
257 lines (172 loc) · 10.1 KB

security_practices.md

File metadata and controls

257 lines (172 loc) · 10.1 KB

Security Best Practices, Final Project, and Assessment

Table of Content

  1. Code Practices
  2. Dependencies
  3. CodeQL Analysis
  4. Secure Development Environment

Code Practices

(click to expand/hide)

Overview

Code practices are essential to the software development process, focusing on security within the DevOps community. By implementing robust code practices early, developers can prevent costly fixes later and reduce vulnerabilities in the application layer.

General Code Practices

  1. Secure Software Development Lifecycle:

    • Integrating security from the start of development ensures the application is secure throughout its lifecycle.

  2. Secure Coding Standards:

    • Establish and follow a set of secure coding guidelines to cultivate good coding habits.

  3. Use of Tested Libraries and Code:

    • Utilize tested and approved managed code and reusable object libraries to enhance efficiency and security.

  4. Secure Updating:

    • Focus updates on exposed threats or security-critical components of the source code.

  5. Security Training:

    • Participate in training courses focused on secure software development to increase security awareness and improve coding skills.

Input Validation and Scrubbing

Validation

  • Purpose: Ensures the input matches the expected type, range, length, and characters.
  • Techniques:
    • Check input against a whitelist of allowed characters.
    • Reject any input that doesn't meet predefined criteria.
    • Validate data from untrusted sources rigorously.

Scrubbing

  • Purpose: Removes or sanitizes any malicious characters entered as input.
  • Examples of Malicious Characters: <, >, ", ', %, (), &, +, \, etc.
  • Control Measures: If malicious characters are necessary inputs, apply additional controls like output encoding and use of secure APIs.

Output Sanitization

  • Encoding: Convert input code into safe output code for interpreters.
  • Sanitization: Cleanse all output from untrusted sources to prevent injection attacks in SQL, XML, LDAP, or local OS commands.

Error Handling and Security

  • Goal: Provide useful error messages for users and diagnostic information for developers without aiding potential attackers.
  • Practices:
    • Use custom error pages and generic error messages.
    • Release memory upon error conditions to prevent corruption.
    • Restrict access to logs and log tampering events or failures.

Conclusion

Effective code practices are crucial for developing secure software. These practices not only enhance security but also reduce the overall risk and potential costs associated with later fixes. Input validation, scrubbing, and proper error handling are key components in mitigating security risks in software development.

Dependencies

(click to expand/hide)

Summary of Dependencies in Software Development

Understanding Dependencies

A dependency in software development refers to a piece of software or code that relies on another software to function. This concept is crucial for adding features and functionalities to software without starting from scratch.

Benefits of Using Dependencies

  1. Increased Efficiency: Speeds up the software development process by building on existing work.
  2. Enhanced Functionality: Allows for more features by integrating pre-built components.
  3. Cost-Effectiveness: Reduces development costs and time.

Risks and Challenges

  1. Security Vulnerabilities: Using external code can expose software to bugs, flaws, or security vulnerabilities.
  2. Production Risks: Dependencies can cause performance issues, crashes, or data leaks if not compatible or outdated.
  3. Licensing Issues: Ensuring compliance with licensing requirements is essential to avoid legal complications.

Best Practices for Managing Dependencies

  1. Vetting Dependencies:

    • Design and Documentation: Ensure the API is well-designed and documented.
    • Quality and Testing: Assess the code quality and test for functionality and failures.
    • Maintenance: Check for regular updates and community engagement to ensure ongoing support.
    • Security: Analyze for potential vulnerabilities and security weaknesses.

  2. Using Dependency Management Tools:

    • Automate the tracking of version updates and manage the installation process.
    • Inspect both direct and indirect dependencies to ensure code integrity.

Example of Dependency Usage: Flask Framework

Flask, a web framework written in Python, utilizes several dependencies to enhance its functionality:

  • Werkzeug: Manages the web server gateway interface.
  • Jinja: A template language for rendering web pages.
  • MarkupSafe: Secures handling of untrusted input.
  • ItsDangerous: Ensures data integrity.
  • Click: Used for building command-line applications.

Practical Example with ItsDangerous

from itsdangerous import URLSafeSerializer

Create a serializer

serializer = URLSafeSerializer('your-secret-key', 'auth')

Serialize data

token = serializer.dumps({'id': 5, 'name': 'Alice'})

Deserialize the token

original_data = serializer.loads(token) print(original_data['name'])

CodeQL Analysis

(click to expand/hide)

What is CodeQL?

CodeQL is a tool used for security analysis on GitHub, helping to ensure the ongoing security of code during its development. It is particularly crucial as it updates continuously to protect against new vulnerabilities.

How CodeQL Works

CodeQL analyzes the code by treating it as data within a database. This allows for:

  • Addition of code to the database via commits.
  • Running queries on this database to identify security issues.
  • Displaying results as code scanning alerts.

Users can run default queries or customize them to suit specific project needs.

Supported Languages by CodeQL

CodeQL is versatile and supports multiple programming languages, both compiled and interpreted:

  • C
  • C++
  • C#
  • Java and Kotlin
  • Go
  • Ruby
  • Python
  • JavaScript (JS) / TypeScript (TS)
  • Swift

How to Use CodeQL on GitHub

Setup Process

  1. Access Code Scanning:

    • Navigate to the 'Security' tab in your GitHub repository.
    • Setup code scanning under 'Security Overview'.

  2. Configuration Options:

    • Default Configuration: Automatically configures based on the repository's language.
    • Advanced Configuration: Manually create a YAML file to add more specific security checks.

Running CodeQL

  • CodeQL runs automatically on push or pull requests and during routine weekly checks.
  • It incorporates new vulnerability checks regularly to stay current.

Conclusion

CodeQL is an essential tool for maintaining the security of software projects on GitHub, offering broad language support and flexible configuration options for thorough security analyses.

Secure Development Environment

(click to expand/hide)

Understanding Secure Development Environment

A secure development environment encompasses practices and protocols that ensure software is developed in a system that mitigates risks from cyber threats and vulnerabilities. It's vital to integrate security from the beginning of the development process to avoid costly fixes and vulnerabilities in production.

Causes of Insecure Development Environment

  • Lack of security integration during the design and development phases.
  • Insufficient separation between development and production environments.
  • Inadequate protective monitoring, logging, or auditing in development settings.
  • Use of outdated antivirus or anti-malware solutions, leading to susceptibility to phishing and malware attacks.
  • Unrestricted access to unapproved code repositories and poor governance of code dependencies.

Best Practices for Secure Development

Early Integration of Security

  • Collaborate with security teams from the onset of the design phase.
  • Ensure that all team members are knowledgeable about secure development practices.

Hardening the Development Environment

  • Keep all software and development tools up to date.
  • Disable or remove unnecessary services and ensure physical security of development machines.
  • Use separate, hardened systems or virtual environments for development to minimize risks.

Network and Access Security

  • Secure the internet connection by monitoring open ports and implementing strict firewall policies.
  • Use multifactor authentication to enhance security beyond just passwords, protecting against identity theft and unauthorized access.
  • Secure secrets management to safeguard sensitive information like API keys and credentials.

Monitoring and Auditing

  • Invest in comprehensive monitoring and auditing controls to detect and respond to security incidents promptly.
  • Utilize tools like network utilities to check the security of websites and track suspicious activities.
  • Implement pre-commit hooks to prevent sensitive data like credentials from being uploaded to repositories.

Developing in Isolated Environments

  • Use container technologies like Docker to create isolated development environments that are separate from the main development machine, reducing the risk of cross-contamination and enhancing security by default.

Conclusion

Creating and maintaining a secure development environment is essential for preventing cyber attacks and protecting organizational assets. By implementing best practices such as early security integration, stringent access controls, regular monitoring, and using isolated development environments, organizations can significantly mitigate risks associated with software development.