Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Finacle - Secure Coding Practices
1. Secure coding practices
Thought Paper
www.infosys.com/finacle
Universal Banking Solution | Systems Integration | Consulting | Business Process Outsourcing
2. Secure coding practices
Writing good code is an art but equally defining variables and structures and passing
important is programmers’ awareness of secure references and pointers from one module
code practices, and the care they take when to another.
Overview of code security
While defining variables, programmers need to access to the structures using proper access
first assess memory space to be allocated, controls such as “public, private or protected”,
and clearly define the individual scope of inside the code.
reference variables while passing references
Another thing to be kept in mind is that variables,
inside functions. In languages such as C++,
used normally for handshaking between
defining and using pointers is good practice as
two modules – say, loans with payments –
it improves performance and speed, especially
should have a restricted set of values defined.
in the case of applications like core banking
These variables are normally static and their
where there are multiple users. But on the flip
scope should be defined within certain boundaries.
side, this poses enormous risk to data security
as pointers can be accessed from outside and Also, it is always reco-mmended to perform
variable values can be manipulated. code audits before implementation, so that
potential code vulnerabilities can be fixed. For
Programmers should follow secure coding
that, the code auditors should be enabled with
practices while dealing with arrays, linked lists,
proper know-how about individual languages
stacks and vectors, which are the linear data
and related secure code practices.
structures normally used in coding, always
keeping in mind that size of such data structures Moreover, programmers should be aware of
should be strictly limited to the space required. specific security related features of each
Location – the physical address at which these programming language. Code review by experts
structures are defined – is an important aspect ensures that programmers implement good
as well. In addition, it is essential to restrict security practices.
Security breach in coding
Security breaches in coding are primarily of 4 Malware passing/hosting: Malware, which is
generic types: software written to perform malicious activities,
can be passed inside Web interfaces if codes are
Code injections: In most of the functionalities
not written securely.
where end users are allowed to upload file
content, they can also inject codes in the Web Insecure database calls: Generic database calls
server. These codes can perform malicious acts require variables like database passwords and
and pass valuable system information to hackers. names and user names that are generally accessed
02 Thought Paper
3. through static storage variables or properties modified by system users. If such files are used,
files. It is important to write these calls in a the variable values should be stored using
manner that passwords and user names can interfaces and in encrypted format. However, it
be generated at run time and passed in the is recommended to avoid these files altogether.
program. It has been observed in security
Further, if the property file of the server is
audits that many enterprise applications use
compromised, hackers can overload its access
hardcoding of passwords and other parameters,
methods and misuse them. It is preferable to
which is a wrong programming practice.
create combination keys with two or more
Properties file misuse: Properties files normally resources instead of using just one properties
used to access basic data, contain lists of file. These can be run time generated and passed
unencrypted variables whose values can be to required modules.
Change management and version control
In general code writing practices, version with details and code review should be done
control is achieved using version numbering. before deployment. Also, the vulnerabilities
Secure practices need to be followed during the due to new changes in code should be
change management implementation process. addressed explicitly.
The changes in code should be highlighted
General secure coding practices
Concept of no tolerance Variable declarations: When variables are
declared in code, the variable length and scope
When coding, the tolerance related to variable
of variable access should be predetermined;
length, scope and accessibility should be
declarations should be made accordingly. Use
predetermined and only the required scope
of fixed length variables should be avoided
should be allowed. The tolerance for variable
and preferably, variables should be defined
length should be optimized. Scopes for
with dynamic memory allocations. Many new
generated objects should also be predetermined.
compilers like VB and VC++ support postponement
Ideally, code should not rely on variable scope
of variable declaration by mentioning only
predefined by the compiler.
the variable name and not the type. In such
cases, variable types and properties should
Certain thumb rules of secure coding
be determined within the scope without any
Vertical and horizontal code drafting practices/ overload of unnecessary features. In languages
Code Orientation: Although code drafting that support object referencing, programmers
methods might change as per language should avoid making multiple copies of the
specifications, the normal way of writing code is same variables.
either vertical cascading or horizontal splitting
of code. The vertical cascading method helps System level and semaphore variables: In
programmers to understand the code whereas cases where shell variables are used, variable
horizontal splitting enables them to define the values have to be sanitized. It is preferable
scope of functions and variables. to initialize values and not to assume default
Thought Paper 03
4. vales as per system usage. Normally for inter- and then further modified as per system usage.
process communications where semaphores As the semaphore controlling variable values
are implemented, the variables used to control are generally global in nature, it is important to
the semaphores should be initialized in advance determine entry and exit point values in advance.
Object oriented principles
Partial and full implementation of Object multiple inheritances as it adds to code
Oriented Programming (OOP) and security: vulnerability. Making major variable declarations
OOP is in line with best security practices, with in public scope enables easy access, thereby
some exceptions. For instance, high usage of compromising OOP abstraction.
friend and virtual functions makes code more
Prevention of inheritance by key words like
insecure and prone to compromise. Well-defined
‘Final’: In certain languages like C++ and Java,
scopes like public, private and protected, secure
inheritance can be restricted using key words
the code. Certain programming languages like
such as ‘Final’, thus disallowing users from
Java do not support multiple inheritances, thus
inheriting class methods available in base class.
protecting the methods defined under classes.
This can be done when programmers do not
Data abstraction and multiple inheritance want any further extensions and use defined
linkages: Programmers should avoid using class members.
Security for software deployment
Secure deployments, keys protection in code applications. Preferably, deployments should
deployment: Generally, codes are deployed be done serially and manual handling should
through popular deployment tools which be strictly avoided. Keys used for secure
compress the files and serially deploy them on deployments should be dynamic, with a specified
the destination server. The deployment codes time period to avoid code misuse.
might be insecure, resulting in holes in the
Code level security for Web applications
While SQL injection is a common Web messages (such as ‘page not found’) should be
vulnerability, it is also important to write altered to prevent the user from getting details
optimized queries in order to secure the data like Web server configuration and version path.
objects. This ensures the safety of the SQL Web server default passwords and paths should
output artifacts and also improves performance also be changed as per specific requirement.
of database calls. Also, retrieval of unnecessary
Secure way of code deployment on Web:
database column values should be avoided.
Web-based code deployment, being very
Web server secure practices: Web server logs unsecure, should be managed well. Handshakes
should always be configured to another drive should happen on key exchange mechanism
where they can be stored. This will enable the and both client and server application should
tracing of hacking attacks. In addition, error authenticate the connection between them.
04 Thought Paper
5. Best security practices at the individual
language level
Each programming language has its own features dropping can be reduced by transmitting all
around which security practices are set. information between client and browser over
Secure Sockets Layer (SSL). Programmers should
C/C++ also ensure that client side options such as view
Even if declared implicitly, array bounds in C++ state /hidden variables are not used to store
should be set explicitly, and should not be left sensitive data. Further, sensitive information
open-ended. The structures should be defined must be stored on the server and not on the
dynamically as well. Also, loop arrays should client side. Additionally, appropriate error
not be allowed to iterate beyond the end of the messages should be displayed just like in Java.
array, so as to reduce buffer overflow attacks. In
addition, conversions using void pointers should PHP
be avoided, while the automatic variables used In the server-side programming language, PHP,
need to be initialized before declaration. the majority of attacks can be reduced by
sanitizing the input; functions like filter_input/
Java
filter_id can be used. While using MySQL, it
Sanitization of all data input irrespective of the would be preferred to change password
source, substantially reduces risk of attacks such frequently. Malicious scripts can be prevented
as code injections. It is also advisable to declare from running on the browser by removing
data variables of a class as private, thereby content like special characters before it is sent
restricting access. Even in the case of nested to the users. Attacks such as Remote File
classes, the methods accessing the private Inclusion/Local File Inclusion can be reduced by
members of the outer class should be declared sanitizing the inputs, restricting dynamic inputs
as private. Besides, exceptions should not be that come from the user and placing strict
allowed to expose sensitive information. The access controls for critical files. Again, error
outcomes of exceptions should be changed by messages sent to the user must be generic and
proper exception handling, so that users get not disclose any information.
only valid exceptions. Use of the key word
‘Finally’ while handling the exception significantly Shell scripts
reduces data vulnerability. Null pointers should
not be de-referenced, as this can cause the null When using shell scripts, a popular scripting
pointer exception. Error messages passed to the language mainly based on the Unix platform,
user through servlets should be appropriate and restricted access must be ensured, with read,
should not display any confidential data. write and execute permissions for individual
scripts given according to users’ privilege. In fact,
ASP.Net Unix is considered the most secure Operating
System because of the security features offered
When using the popular programming language though shell scripts.
ASP.Net, data input from all users should be
thoroughly sanitized. Stored procedures should Programmers should restrict privileges for
be used to filter malicious user inputs, thereby specific command execution as well. For instance,
mitigating code injection attacks. Also, session those given permission to view the directory
hijacking attacks can be reduced by disparate should not be allowed to make any changes.
transmission of authentication and session Additionally, the access controls for individual
cookies and using only the HTTPS network for files and directories should be predetermined.
the same. Authentication credentials should also Segregation of users based on privileges is very
be passed only over HTTPS. Network eaves important too.
Thought Paper 05
6. While writing and executing filters, steps to In addition, TCP/IP stack gets exposed to
prevent data exposure should be taken care of programmers directly through shell script and
in advance. During processing, programmers C programs and programmers should avoid
should exercise caution when exposing kernel display of unnecessary stack information to end
calls and switches to end users. They should users. There have been instances of companies
also ensure that fork calls are finite and preparing their own protocol to avoid content
controlled by defined system variables as they exposure through the TCP/IP stack.
are highly sensitive to memory usage.
Conclusion
Application coding security is not restricted servers and databases, techniques of handling
to just drafting ways of coding. Rather, it calls properties files et al. Best security practices
for a comprehensive approach that encompasses should be formulated keeping in mind language
methods of Web and database server specific features and should be applied during
configuration, ways of making calls on Web configuration, coding and implementation.
Bibliography
1. Session Hijacking: Refers to the exploitation of the operating system. Depending on the
of the session, done mainly by theft of the value of the semaphore the process will know
session key used to authenticate a valid user whether to utilize the resource or to wait.
and gain access to services.
4. SQL Injection attack: SQL queries are drafted
2. Network Eavesdropping: Refers to the sniffing and inserted in Web forms maliciously to
of the data packets transmitted along a extract sensitive information from databases.
network to gain access to sensitive information.
This is done using sniffers. 5. Array: Term referred to the use of a collection
of variables belonging to a single type.
3. Semaphores: Used in operating systems,
for coordinating activities between multiple 6. Pointers: A variable which is used to store
processes that compete for using the resources the address of another variable.
Makarand Madhukar Baji
Senior Consultant, Finacle Payments, Infosys
Sandhya Ravikumar
Technology Analyst, Finacle E-Banking and Channel Support, Infosys
06 Thought Paper