KNOW YOURSELF – SECURE CODING
The purpose of the Secure Coding class was to introduce the topic of secure software development and illustrate what developers could do to find and fix weaknesses in their current code and prevent weaknesses in the future. While this topic has been around for more than a decade and there are volumes of information available, developers have not been trained in this topic in their undergraduate programs; know how to use it or even that it exists.
The introduction to the class highlighted the significant amount of open-source and Department of Defense (DoD) information on secure coding. It delved deeper into the resources by presenting the Common Weakness Enumeration (CWE) and its Top 25 security issues, the Open Web Application Security Project (OWASP) and its Top 10 issues, the Common Vulnerabilities and Exposures (CVE), National Vulnerability Database (NVD) and the Common Attack Pattern Enumeration and Classification (CAPEC). The CAPEC is a classification of common attacks and helps identify risks to a system (what an attacker would do). In order to better familiarize the developers with this large body of knowledge, the discussion covered what the purpose for each is, what the differences are between them, how they all fit together and how they could help developers. Additional resources were mentioned such as the State of the Art Report (SOAR) on Software Security Assurance, CERT Coding Standards, and the body of work the Department of Homeland Security (DHS) has produced in the Software Assurance Pocket Guide Series. Finally, the introduction laid the context for the class. The class would cover the top 27 CWEs that developers needed to know and understand. The CWEs are hosted by the MITRE Corporation, cosponsored by DHS.
Setup – Insecure Bank & Common Weakness Enumeration
During the class, the CWEs were presented in a single context of a fictitious banking application with various functionality modules similar to the ones that developers may code themselves. Each module (ex. Create user or Account summary), would exhibit two to four CWEs detailing how the weaknesses could be leveraged by an attacker in that area and how developers could help securely code that function. The bulk of the class went through each of the 27 CWEs presented in its own vignette. For each CWE, eight items were discussed to cover the topic fully. A depiction of this structure and the discussion items are listed in Figure 2. As an example, a subset of the vignette on CWE-120, Buffer Overflow is shown in Figure 3.
Figure 2: Class Presentation Structure and Discussion Items to Support the Top 27 CWEs
Figure 3: Subset of the CWE-120 Buffer Overflow Vignette
The idea was to break up the volume of knowledge into easily understandable pieces that applied to functions with which developers were already familiar. Additionally, maintaining a single banking application context for all of the CWEs kept the focus on the coding issues rather than focusing on the details of the underlying training applications. This setup would also provide an easy conceptual reference for the future when they wanted to review the information.
The class also covered other topics. Common terms were discussed such as dynamic testing and privilege escalation and the difference between a weakness, vulnerability and exploit. Web programming basics were also covered. While only three of the twenty-seven CWEs were solely for web applications, these basics would support other essential topics such as client-server paradigms when their respective security issues were discussed. Finally, different automated static source code analysis tools were also mentioned.
Secure Coding – Summary & Take Away Message
A summary included the important concepts the developers should take away from the class (Figure 4). The class was highly interactive to support the activities and questions from the students. The class covered over 650 slides in two days. However, the students were actively engaged by the structure of the class and remained interested throughout which is a significant success on its own. At the end of class, a handout of references and topics were given to the students as a takeaway. This class is essential for software developers as it introduces the subject of secure coding, widens their aperture and instills ownership to ensure code, applications and systems are developed securely.
Figure 4: Summary of Important Secure Coding Concepts