CybersecPatrol

Cutting-Edge AI-powered Cybersecurity Solution by CyberSecPatrol.

Secure Coding – Input Validation and Secure Software Development

December 18, 2024 - Secure Coding

Today, businesses and organizations are becoming increasingly dependent on software and computer systems. As a result, the release of secure applications has become a top priority for developers. The good news is that by writing better and more secure source code, many potential abuses and attacks can be prevented.

rm -rf /

What is Secure Coding?

Today, businesses and organizations are becoming more and more reliant on software and computer systems, so the release of secure applications has become a primary focus for developers. The good news is that by writing better and more secure source code, many potential abuses and attacks can be prevented.

Secure coding refers to the design principles of writing code using optimal security practices. These principles protect the released code from known, unknown, and unexpected vulnerabilities, such as security exploits.

Familiarity with security threats and addressing them at the source code level is one of the critical layers of security in the secure software development lifecycle. Neglecting this can have irreversible consequences for any organization or business that depends on software and computer systems.

Why Do We Need Secure Coding?

A significant portion of the attacks that have occurred in recent years, leading to data breaches or damage to software itself, stem from incorrect security configurations at the code level and the failure to adhere to secure coding practices. Insecure code in critical industries (such as finance, healthcare, energy, and transportation) can lead to financial losses, market manipulation, theft, or even physical harm. On the other hand, for companies that offer services to consumers or other businesses, customer trust is highly valuable, and losing that trust can impact their bottom line. Therefore, ensuring secure coding practices should be a primary concern for these organizations.

Secure Coding Techniques

When it comes to secure coding practices and security in general, it’s essential to keep the process as simple as possible (KISS – Keep It Simple, Stupid). Complex procedures can lead to contradictory results or, worse, might cause essential principles and considerations to be overlooked.

In this article, and in future articles of this secure coding series, we aim to review the most common coding mistakes that introduce vulnerabilities into software and the optimal ways to avoid these mistakes.

Given our approach, which is focused on addressing the maximum number of existing vulnerabilities in the security landscape, we will examine the vulnerabilities highlighted in OWASP Top 10, which covers the most common security threats. Therefore, it makes for a good starting point.

Input Validation

One of the basic principles of software security is input validation. Verifying that the values provided to the program conform to the expected type or format greatly reduces the attack surface.

One common mistake in input validation is using block lists for validation. For example, a program might block known characters or symbols that are commonly used in attacks. The weakness of this approach is that some symbols may be overlooked.

Consider the following code:

java

Copy code

String updateServer = request.getParameter(“updateServer”);

if(updateServer.indexOf(“;”) == -1 && updateServer.indexOf(“&”) == -1) {

String[] commandArgs = {

Util.isWindows() ? “cmd” : “/bin/sh”,

“-c”, “ping”, updateServer

};

Process p = Runtime.getRuntime().exec(commandArgs);

}

In this example, although validation is performed, the code is still vulnerable to command injection (rm -rf /).

In contrast, the following code specifies allowed inputs and only accepts those:

java

Copy code

String updateServer = request.getParameter(“updateServer”);

if(ValidationUtils.isAlphanumericOrAllowed(updateServer, ‘-‘, ‘_’, ‘.’)) {

String[] commandArgs = {

Util.isWindows() ? “cmd” : “/bin/sh”,

“-c”, “ping”, updateServer

};

Process p = Runtime.getRuntime().exec(commandArgs);

}

Summary

You can use the following methods to secure your input validation:

  • Validate data using specific sequences (such as data type, range, input length, and allowed characters).
  • Check based on valid inputs rather than invalid inputs.
  • Ensure that request/response values contain only ASCII characters.