This document discusses secure programming practices, including incorporating security into the software development lifecycle, common vulnerabilities like buffer overflows and integer overflows, and secure coding guidelines for languages like Java and C++. It emphasizes practices like input validation, error handling, and using the latest compilers. It also covers the High Integrity C++ framework for developing safety-critical applications.
2. Overview
• To develop a secure application secure coding techniques
should be incorporated into every phase of SDLC
• Discusses about impact of various vulnerabilities
• Covers secure coding guidelines for Java and C++.
• Reviews about the High Integrity C++ i.e. HICPP
3. Vulnerabilities
Buffer Overflow
• A buffer overflow occurs when a program allows
input to write data beyond allocated memory
Integer Overflow
• An integer overflow takes place when the integer
variable tries to store a larger value than the valid
range as a result of an arithmetic operation
4. Vulnerabilities
Command Injection
• Takes place when malicious data is embedded into
input and is passed to the shell
Improper error handling
• When a programmer fails to implement proper error
handling, the application might leak information
5. Secure Software Development
Secure • To reduce the number of vulnerabilities
before development starts
Architecture • It is easier and more cost-effective to
and Design eliminate security flaws
• Increase awareness about software
Secure Coding security among the developer
Practices
• Code Review
Software • Penetration Testing
Security Testing • Fuzz Testing
6. General Secure Coding Guidelines
Efficient input validation is mandatory
Modular programming approach
Use of the latest compilers
Encrypt all confidential data using strong
cryptographic techniques
Practice to code with proper error/exception handling
Every organization must educate its developers on
how to write secure code
8. Secure Coding Practices in Java
Understand the effect of a superclass on a
subclass
Use public static fields for defining a constant
Use try catch statements for exception handling
An instance of a non-final class is fully
initialized
Be cautious when dealing with multiple threads
9. Secure Coding Practices in C/C++
Use pointers safely
Watch out for memory leaks
Run a ‘Garbage Collector’ to free the memory
Securely delete sensitive data from memory by
declaring the variable as volatile
Allocate memory dynamically
10. High Integrity C++
Define the set of rules and guidelines for the production of
C++ code
It provide the restrictions necessary to make C++
suitable.
exploring C++ use for high integrity and safety critical
applications
Enforce the best and secure practice in C++ development.
11. Conclusion
Provides a practical and effective set of secure
coding guidelines
Secure SDLC that considers security at every
stage of development contributes to early
identification of potential vulnerabilities
Discusses the about the concept of HICPP
which is more secure than C++.
12. References
[1]. Kevin Soo Hoo, Andrew W. Sudbury and Andrew R. Jaquith,
‘Tangible ROI through Secure Software Engineering’, 2006.
[2]. Michael Howard, David LeBlanc and John Viega, ‘19 Deadly Sins
of Software Security’, 2005.
[3]. Andrew van der Stock, Jeff Williams, Dave Wichers ‘OWASP top
10: The 10 most critical web application security vulnerabilities’,
2007.
[4]. Noopur Davis, ‘Secure Software Development Life Cycle
Processes: A technology Scouting Report’,2006.
[5]. Michael Howard, Steve Lipner , ‘The Security Development Life
Cycle’, 2006.
13. References
[6]. Sun Microsystems, Inc., ‘Secure Coding Guidelines for the Java
Programming Language, version 2.0’, 2007
[7]. Mark G. Graff, Kenneth R. van Wyk, ‘Secure Coding Principles,
and Practices’, 2003.
[8]. Dave Dyer, ‘Can Assure save Java from the perils of
multithreading’, 1998
[9]. Flight Lieutenant Derek W. Reinhardt, ‘Use of the C++
Programming Language in Safety Critical Systems’, 2004
[10]. Trupti Shiralkar and Brenda Grove,’ Guidelines for Secure
Coding’, 2009