secure. network. communications.
Cape Town, South Africa: Tel: +27 21 686 2227 | Fax: +27 86 551 0575 | Email us

Where to start with secure coding practice

Often, with coding projects that have developed organically, or with no specific security focus at the outset of the development. The question often arises where to start in securing the code one has.

The first step is to understand that there are issues to work through to retrofit security back into the code. Ideally, the code starts from a secure basis, but under some circumstances, the size or budget of the project does not allow for this.

So, how to proceed?

In terms of the code that we use to display, manage and filter user inputs before creating outputs, we know that there are a few challenges we need to mitigate in order to create a more secure data environment.

Some initial thoughts for discussion, below.

Infrastructure

  • As initial step, isolation of each database per client into their own specific users with minimum rights required will help in the minimisation of exposure in the case of database access detail exposure.
  • Any files not required to run a site should not be on the server (eg .old or -orig.php files)
  • Software versions for the underlying stack serving the code should be kept up to date and patched.
  • Reaction to and interpretation of log files on a daily basis allows for an identification of attempts to
    • expose code weaknesses by fuzzing
    • expose code weaknesses on the stack
    • expose drive-by attempts on the server(s) – in code and on the stack

Code

  • Never trust user input, and re-validate at every stage, which can be generalised to:
  • Never trust data passed via GET or POST statement, and re-validate at every stage.
  • Implement input validation using one of the validation frameworks available
  1. $validator = new Zend_Validate_EmailAddress();
  2. if ($validator->isValid($email)) {
  3. // email appears to be valid
  4. } else {
  5. // email is invalid; print the reasons
  6. foreach ($validator->getMessages() as $messageId => $message) {
  7. echo “Validation failure ‘$messageId’: $message\n”;
  8. }
  9. }
  • Implementing validation on all inputs mitigates at least 7 of the OWASP Top 10 exploits (add the class to the top includes and parse and validate from there)
  • Use an established Auth framework for user authentication:
    • PEAR_Auth
    • Zend_Auth
  • Implement an SSL layer over all data inputs and outputs to secure point-to-point (known possible exploits of the SSL implementation on older or badly-coded browsers and clients aside)
  • Process MySQL statements parameter-based (SQL preparation)

Contact us for more information on a secure code implementation!