Write Safe and Secure Applications

The lead security study group (group 17) from the International Telecommunication Union provides a paper containing general suggestions for writing secure applications. In the paper, each item is hyperlinked to additional information.

You can read it on the website or download it in MS Word format.

According to the website, the suggestions are directed toward developers and describe “how to avoid the most common pitfalls… It focuses on network application programs, but many of the suggestions are equally valid for other kinds of software… See the Resource section [last section of the paper] for a list of reference documents which can be accessed for specific implementation details.”

ITU’s suggestions for writing safe and secure applications:

Design
* Design with security and safety in mind
* Design for quality
* Use formal methods and languages
* Limit software complexity
* Ensure that all the operations (both normal and exceptional) in your application are safe and secure
* Use only well-known cryptographic algorithms
* Don’t assume that you can increase security by keeping the source code of your algorithms hidden
* Don’t rely on the users of your application to select the appropriate (more secure) security settings
* Verify exchanged digital certificates and involve the user as much as possible in this process
* Limit the internal data redundancy and manage the existing redundancy

Implementation
* Ensure that the program doesn’t try to read or write data outside an allocated memory block (buffer overflow)
* Ensure that all resource allocation errors are detected and handled

Read the entire paper.

During testing, I’d also run some vulnerability scanners and fuzzers against the application. After implementation, I’d do the same at least once a month for 6 months to catch any issues that might surface as the developers inevitably tweak the application based on feedback. All those changes should go through the same rigorous testing and change management procedures, but they often don’t, not when business pressure is applied.

More information on Study Group 17.

Leave a comment

Filed under Security

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s