It is important to train software developers as a part of your security awareness program on the complexities of data storage requirements for Personally Identifiable information (PII) that is required by GDPR, PCI DSS, and many other security regulations. Security awareness programs for engineers should educate about best practices for encrypting data and anonymizing it so it follows compliance standards for storage. If the end-user requests their data or wants it removed from the system, the engineer has to know the best practices for coding this feature. Developers must update their code and code dependencies regularly to avoid an application vulnerability. Security awareness training will explain why this is important and provide useful information on how to do this.
This is a recent example of poor coding practices and how it can impact the organizations they supporting.
Here are 7 reasons why secure coding practices should be apart of your security awareness campaign.
Reason #1 - Code Repository Security
It is poor practice for developers to commit secrets and credentials into their remote repositories. Many times developers unintentionally check in keys into a repository because the keys are embedded in code or the key store is not explicitly set for ignore in the repository. Developers must never store secret keys and logins in their codes because malicious users can leverage such information to gain access to resources such as third-party accounts or deployment environments. In 2019 and 2020, malicious users scanned public Github repositories for public keys and held hundreds of projects for ransom.
Fortunately, secret scanning capabilities can detect secret keys and credentials and inform you before anyone accesses them. Check out this tutorial to learn more about how to set up secret detection for Github and Gitlab.
Reason #2 - Password Management in Code
Although this may seem like basic knowledge for things not to do, it is common for developers to store passwords in source code. Such passwords can be easily accessed by attackers who exploit the deployment environment and pose serious application security risks.
One notable cybersecurity incident that resulted from storing passwords in the source code is the Mirai malware in 2016. This malware scanned the Telnet service on Linux-Based IoT boxes for hard-coded passwords, then used them in a brute force attack and compromised more than 400,000 devices without their owner’s knowledge. Another notable breach is the Uber breach resulting in the leaking information of 57 million customers and more than 600,000 drivers. There are source code security analysis tools like Bandit that helps developer void leaving passwords hard-coded. Check out this tutorial to learn how to scan your source code.
Reason #3 - Dependency Security
It is estimated that eighty percent of the code in today’s applications come from open source libraries and frameworks. What is more, approximately 27% of libraries available in the internet have well known and publicly disclosed vulnerabilities.
What is worrying, most organizations and individual developers continue to use the libraries in their code without addressing the vulnerabilities. Using a vulnerable library can allow malicious actors to access confidential data, perform transactions, and in some cases gain full control of an application.
As such, developers must be careful with the libraries they use in their code. Learn more about scanning your dependancies for security vulnerabilities.
Reason #4 - Container Security
Having vulnerabilities in your container image can cost your company millions of dollars in fines, lost productivity, and sales. Having a well-maintained container image prevents issues from deployment and prevents customer data from being leaked. Containerizing applications have grown worldwide and will continue to grow in the next decade. Many bad actors will try and take advantage of those unaware of container image vulnerabilities.
Reason #5 - Web Page Security
An exposed secret key can cause many unfortunate events. For example, if your secret key is exposed, strangers are able to make any API call they wish. This includes having the ability to leak sensitive information, overload your database with post requests, and delete something from your database.
Check out this tutorial to learn the importance of web page security.
Reason #6 - DDoS Mitigation & Network Security
Distributed Denial-of-Service attacks are a major concern on internet today. It is also evolving in recent years. Attacks are becoming more frequent and complex. Businesses of all sizes, financial institutions, organizations, governments, etc. are all potential targets of DDoS attacks. It is very necessary to adopt anti-DDoS practices and learn about other web security concerns.
Check out this tutorial to learn the importance of DDoS Mitigation steps.
Reason #7 - OAuth Security
Misconfigured authorization servers are prone to URL redirect attacks due to ambiguity in the way the OAuth standard is designed to handle pattern matching. Bad actors are known to attack authorization servers that lack adequate URL redirect validation allowing the hackers to steal access tokens as well as breaking client identification or authentication.
It is of the utmost importance that you configure your authorization servers so that redirects are properly validated in order to prevent tokens from being sent to servers owned by bad actors.
Check out this tutorial to learn the importance of OAuth Security.
Want to Learn More about our Cybersecurity API?
HacWare makes it stupid easy for software developers to launch next generation cybersecurity education programs to combat phishing attacks with a few lines of code. To learn more about our powerful security awareness API and developer program, click here to apply .
Learn more about HacWare at hacware.com. If you are a Managed Security Service provider (MSSP) or IT professional, we would love to automate your security education services, click here to learn more about our partner program.