Secure Code Wiki: A web of secure coding good practices

Linux Post Install

6 minutes

Secure Code Wiki: A web of secure coding good practices

Secure Code Wiki: A web of secure coding good practices

For the advancement of Knowledge and Education, and the Science and technology In general, the implementation of the better and more effective actions, measures or recommendations (Good practices) to achieve the ultimate goal of, bring to fruition any activity or process.

And the Programming Languages or Software development Like any other IT and professional activity, it has its own "Good practices" associated with many spheres, especially those related to Cybersecurity of the software products produced. And in this post we will present some «Good Secure Coding Practices », from an interesting and useful website called "Secure Code Wiki", so much about Development Platforms free and open, as private and closed.

Licenses for the development of Free and Open Software: Good practices

Licenses for the development of Free and Open Software: Good practices

Before getting into the subject, as usual, we will leave later some links to previous publications related to the topic of «Good Practices in Programming or Software Development ».

"… Good practices conceived and disseminated by the "Code for Development Initiative" of the Inter-American Development Bank, on the scope of License Software, which must be taken when developing software products (digital tools), especially free and open." Licenses for the development of Free and Open Software: Good practices

Licenses for the development of Free and Open Software: Good practices
Related article:
Licenses for the development of Free and Open Software: Good practices
 Technical Quality: Good practices in the development of Free Software
Related article:
Technical Quality: Good practices in the development of Free Software
 Documentation: Good practices to develop free and open Software
Related article:
Good practices to develop free and open Software: Documentation

Secure Code Wiki: Good Secure Coding Practices

Secure Code Wiki: Good Secure Coding Practices

What is Secure Code Wiki?

As its site:

"Secure Code Wiki is a culmination of secure coding practices for a wide range of languages."

And you are good practice and the website of "Secure Code Wiki" have been created and maintained by an Indian organization called Payatus.

Examples of Good Practices by types of Programming Languages

Since, the website is in English, we will show some examples of secure coding about various programming languages, some free and open, and others private and closed, offered by said website for explore the potential and quality of content loaded.

In addition, it is important to highlight that Good practices displayed on the Development Platforms following:

  • . NET
  • Java
  • java for android
  • Kotlin
  • NodeJS
  • Objective C
  • PHP
  • Python
  • Ruby
  • Swift
  • WordPress

They are divided into the following categories for Desktop Languages:

  • A1 - Injection (Injection)
  • A2 - Authentication broken (Broken Authentication)
  • A3 - Exposure of sensitive data (Sensitive Data Exposure)
  • A4 - XML ​​External Entities (XML External Entities / XXE)
  • A5 - Faulty access control (Broken Access Control)
  • A6 - Security deconfiguration (Security Misconfiguration)
  • A7 - Cross Site Scripting (Cross Site Scripting / XSS)
  • A8 - Insecure deserialization (Insecure Deserialization)
  • A9 - Use of components with known vulnerabilities (Using Components with Known Vulnerabilities)
  • A10 - Insufficient registration and supervision (Insufficient Logging & Monitoring)

And also divided into the following categories for Mobile Languages:

  • M1 - Improper use of the platform (Improper Platform Usage)
  • M2 - Insecure data storage (insecure data storage)
  • M3 - Insecure communication (Insecure communication)
  • M4 - Insecure authentication (Insecure Authentication)
  • M5 - Insufficient cryptography (Insufficient Cryptography)
  • M6 - Unsafe authorization (Insecure Authorization)
  • M7 - Customer code quality (Client Code Quality)
  • M8 - Code manipulation (Code Tampering)
  • M9 - Reverse Engineering (Reverse Engineering)
  • M10 - Strange functionality (Strange Functionality)

Example 1: .Net (A1- Injection)

Using an object relational mapper (ORM) or stored procedures is the most effective way to counter the SQL injection vulnerability.

Example 2: Java (A2 - Authentication broken)

Whenever possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and reuse attacks on stolen credentials.

Example 3: Java For Android (M3 - Insecure Communication)

It is imperative to apply SSL / TLS to the transport channels used by the mobile application to transmit sensitive information, session tokens or other sensitive data to a backend API or web service.

Example 4: Kotlin (M4 - Insecure Authentication)

Avoid weak patterns

Example 5: NodeJS (A5 - Bad Access Control)

The access controls of the model should enforce ownership of the records, rather than allow the user to create, read, update, or delete any record.

Example 6: Objective C (M6 - Authorization insecure)

Applications should avoid using guessable numbers as an identifying reference.

Example 7: PHP (A7 - Cross Site Scripting)

Encode all special characters using htmlspecialchars () or htmlentities () [if it is within html tags].

Example 8: Python (A8 - Insecure Deserialization)

The pickle and jsonpickle module is not safe, never use it to deserialize untrusted data.

Example 9: Python (A9 - Using Components with Known Vulnerabilities)

Run the application with the least privileged user

Example 10: Swift (M10 - Strange functionality)

Remove hidden backdoor functionality or other internal development security controls that are not intended to be released in a production environment.

Example 11: WordPress (XML-RPC Disable)

XML-RPC is a WordPress feature that allows data transfer between WordPress and other systems. Today it has been largely superseded by the REST API, but it is still included in the installs for backward compatibility. If enabled in WordPress, an attacker can perform brute force, pingback (SSRF) attacks, among others.

Generic image for article conclusions

Conclusion

We hope this "useful little post" about the website called «Secure Code Wiki», which offers valuable content related to «Good Secure Coding Practices »; is of great interest and utility, for the entire «Comunidad de Software Libre y Código Abierto» and of great contribution to the diffusion of the wonderful, gigantic and growing ecosystem of applications of «GNU/Linux».

For now, if you liked this publicación, Do not stop share it with others, on your favorite websites, channels, groups or communities of social networks or messaging systems, preferably free, open and / or more secure as TelegramSignalMastodon or another of Fediverse, preferably.

And remember to visit our home page at «DesdeLinux» to explore more news, as well as join our official channel of Telegram from DesdeLinuxWhile, for more information, you can visit any Online library as OpenLibra y jedit, to access and read digital books (PDFs) on this topic or others.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   luix said
    ago 3 years

    Interesting article, it should be mandatory for every developer ..

    Reply to luix