Security Think Tank: To secure code effectively, verify at every step


It’s been quite a while since I dd any actual coding and while I have done machine level coding I was initially taught Algol and Fortran, both being high level languages.

In my 20 plus years in information security and assurance the issue of secure coding has risen in importance. It is through poor coding and housekeeping procedures that many successful security breaches have occurred, but the role of the operational environment and any background housekeeping functions should not be overlooked, they can, indeed, be critical.

A big part of secure coding is ensuring that any input to a piece of code only is allowed to originate from a known – verified – source and that the input is subjected to rigorous boundary and content checking and, should the input not be conformant, then that data is completely destroyed.

Similarly output from a piece of code should only come from within the code itself and sent to known – verified – destinations and not allowed to use memory outside of what has been allocated. The code itself should only access and use allocated memory locations and system I/O, housekeeping functions should also clean up any temporary memory locations post use.

The operating system that any code runs under should allocate, monitor and control memory usage in order to stop one piece of code from violating the memory allocated to other pieces of code.

The OS should only permit verified (certified or flagged) code to run, non-verified code should be isolated, prevented from running and an error output.

It should be noted that this could be a multi-level operation where, for example, you have a host system and OS that is running a number of virtual hosts or supporting a number of containers – not  forgetting that a virtual host could also be running a number of containers making for a very complex environment.

There are quite a few software, container and OS testing tools on the market but unless your organisation has its own IT department that is developing, maintaining and deploying code you will probably look to outsourcing any necessary testing and review work to a competent agency.



Read more on Application security and coding requirements


Leave a Reply

Your email address will not be published. Required fields are marked *