Tip

Best practices for secure code

Though security is usually associated with the perimeter; firewalls, IDE and antivirus software, the security of your systems often boils down to how securely the code of your applications was written.

While attending VSLive 2004 in San Francisco, I picked up a few best practices for designing and writing code within the .NET framework. But first, here are some of the threats that your code might be exposed to, courtesy of Gabriel Torok,

    Requires Free Membership to View

PreEmptive Solutions:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of Service
  • Elevation of Privileges

This list provides the easy to remember acronym STRIDE. Torok recommends that you categorize the possible threats to your code into the above categories. Since security is about protecting assets, he also suggests that you rank the threats according to the menace they pose:

  • Damage Potential
  • Reproduce-ability
  • Exploitability
  • Affect on users
  • Discoverability

This list also provides a handy acronym: DREAD.

So once the threats are identified and categorized, how do you go about making sure your code is secure? The first step is to develop the correct mindset: consider security to be a feature of your code. Security should be one of the first considerations in the design process. Portability and efficiency are admirable code qualities, but so is security. Spend time on developing it early in the process.

Once you have established security as a part of your process, here are some more tangible best practices:

  • Follow the principle of least privilege. Only allow the code access to the minimum files and directories.
  • Encryption standards. Use encryption for password transport. And don't roll your own. The .NET framework supports encryption and standard encryption algorithms have proven their security.
  • Prevent reverse engineering and tampering. Encryption is not useful to prevent reverse engineering since the code has to be unencrypted to run. Obfuscation is the best way to secure your code and protect your intellectual property. An obfuscator called Dotfuscator is available in the .NET Framework.
  • Fail and recover securely. Test every line of code, even error handlers. Make sure your code is not susceptible to a buffer overrun.

You may want to consider having people on staff that specialize in security. And remember, a secure product is a better product.


Benjamin Vigil is a technical editor for SearchWebServices.com


This was first published in April 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.