In a software development life cycle, it is mostly important to incorporate security early in the development process and that’s why in this article I’ll talk about three (3) important and specific secure coding practices that you should follow when building your application; Error/Exception Handling, Input Validation & Fuzzing.
1. Error/Exception Handling
One of the most significant sources of software vulnerabilities is a concept known as the “unpredictable state”. Remember, a computer is very good at following instructions and that is all it can do. Computers can’t guess your intentions and if they encounter a situation where they don’t have specific instructions, may take an unpredictable action.
This is a tremendous danger to software security, as that unpredictable action may undermine the security of your application or system. A very important thing to remember when developing software is that users will not always act in the way you expect, some might not understand what they are expected to do, while others may be deliberating trying to break your code in an effort to undermine the security of your application. There are two very important things you can do when developing software to ensure that you avoid the unpredictable state:
First, create a default state
If you’re creating a list of possible actions that the software can follow based on various circumstances, be sure to create a path that all possible actions can follow. This is often done by using the software equivalent of normal language flow…if this, do that, otherwise if this, do some other thing, otherwise do yet a third thing. This last clause is a “catch all”. It encompasses all possible situations, even those not predicted by the developer.
The developers in the house will recognize this concept as being the else clause in an if/else statement or the default clause in a switch or case statement.
Secondly, you must “catch” errors
The second important thing you can do is tell the computer what you want it to do in the case of an error. This concept is known as Error Handling. If the user does something that causes an error, your software should specify how that error should be handled, for example, if the user enters data that causes a division by zero error, your software should expect this possibility and report the error back to the user. This is often done through a try/catch clause. For example, you might have a program that divides the number 3 by a user provided number, you should write the code in such a fashion as the computer tries the division, it can catch any pending errors and then report it back to the user. If the computer encounters an error when executing a code that isn’t caught by your software, it can enter the dreaded unpredictable state.
2. Input Validation
When developing software that depends upon the user for any kind of input, you must check to ensure that the user provided input matches your specification. And remember, think outside the box here. Earlier we discussed how to handle a situation where a user asks to divide the number 3 by 0. This is an easily predictable error, but what if the user when prompted for a number, types in “apple”, this is obviously completely nonsensical. But it is one of the most fundamental errors made in software development and represents a serious security risk. It is very possible and also common for a lack of input validation to provide a user complete access to your back-end database.
When performing input validation, check for three (3) things
Is the data of correct type? If you’re expecting a number, did you receive only digits? Or did the user type in “apple”?
Is the data of the correct length? If you want only 40 characters, what do you want the computer to do if the user types in 45?
Is the data suitable? If you’re expecting a non-zero positive integer, what should the computer do if the user types in a negative decimal number for instance?
Performing proper input validation can save many headaches down the road.
Fuzzing is a software testing practice that is designed to check for proper error handling and input validation. Fuzz testers provide all sorts of random, invalid and even garbage input to an application to make sure that it is handled properly. Fuzz testers will try to break all three of the input validation rules mentioned earlier. Fuzz testing is a great way to verify that sound software development practice are in place and to test code before it is released into production.