Develop an Enterprise Secure Coding Programme

So lets start out by saying that I have no intent on teaching you how to code, and you probably wouldn’t want to learn from me anyway!

More than ever before, we must be diligent about our Application Development practices. In today’s fast paced, highly competitive Internet environment, it is expected that your Corporate Applications not only look and feel “modern”, but are also built to work on a multitude of platforms.  Gone are the days when you can write an application to “work best” on Internet Explorer.  Apps must present a consistent user experience across various browsers and platforms.  This diversity of endpoint systems increases the potential for vulnerable code to be exposed.  

Coding Securely needs to be a Corporate Culture, supported from the Top down. Every layer of employee has a role in this practice. An application built from the ground up on the principles discussed below will spend a lot less time in “vulnerability management“, and a lot more time in building and releasing features.

I’m going to structure this discussion by addressing the responsibilities of each Business Role at a high level, then break each one of these down, further on.

Responsibilities of the CIO:

• Adopt, Publish, and Test a Corporate Coding Best Practice
• Base your Application Development Practice on your Business Core Competencies
• Adopt an Existing Application Framework
• Adopt and support Revision Control Religiously
• Ensure that a trusted Application Testing Methodology is in place.

Responsibilities of the Application Development Team Lead:

• Review, comment, and test the Corporate Coding Best Practice
• Develop and publish a Standard Naming Convention for Coding
• Ensure that your team is only developing to your Business Core Competencies
• Use an Existing Application Framework 
• Use Revision Control Religiously
• Maintain Reusable Code Libraries
• Understand and implement Release Planning
• Do not support reinventing anything
• Support the Corporate Application Testing Methodology

Responsibilities of the Developer:

• Read and understand the Corporate Coding Best Practice
• Print out the Coding Best Practice stick it on your refrigerator door!
• Understand what your Business Core Competencies are… Write code for THAT!
• Use an Existing Application Framework  
• Use Revision Control  Religiously
• Do Not reinvent anything
• Participate in the trusted Application Testing Methodology

Responsibilities of the Quality Control and Test Team:

• Ensure that the Corporate Coding Best Practice is being followed
• Enforce Revision Control
• Conduct Peer Code Review
• Participate in the trusted Application Testing Methodology
• Validate Security Controls through Application Security Testing
• Adopt and manage to a  Release Life Cycle

Coding Best Practices:
First of all, download and read the following!
(Then print it out, stick it on your fridge, and read it every morning!)
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

A coding best practice is a set of rules or procedures that one follows to create legible, well documented application code that improves the quality of the application and provides for better maintenance.  Code should be clearly written using a standard naming convention for object or variable names, routine or module names, and table/field names.  Comments should be descriptive and short.

• Input Validation: – ensure all input in forms are type,length, and context validated.
• Output Encoding: – ensure that all output requests to your backend follow the rules
• Authentication and Password Management: – ensure corporate standards are met
• Session Management: – carefully manage,secure, and log user sessions
• Access Control: – ensure “Least Privilege Principle” is adhered to
• Cryptographic Practices: – use industry-tested and accepted standards and algorithms
• Error Handling and Logging: – ensure logs are auditable, traceable, and of high intergrity
• Data Protection: – ensure sensitive data is protected both in motion and at rest.
• System Configuration: – ensure that you “harden” your application as well as the OS it resides on
• Database Security: – protect your back end. Again ensure “Least Privilege Principle” is used
• File Management: – misconfiguration in could reveal confidential information about access credentials
• Memory Management: – ensure that memory that is allocated is protected, and subsequently freed 

Business Core Competencies:

Base your Application Development Practice on your your Business Core Competencies. By this I mean that if your company produces Widgets, then your Core Compency is in the mass production and sale of Widgets. Your developers should be spending the bulk of their effort in writing code to strengthen the sale of Wigets.

If they are developing “application frameworks” or writing “authentication” code, they are not doing you a service. There have been decades of collaborative prior art created that follow standards and have been rigorously tested.