Secure coding practices and OWASP Top 10

Unit III

P.SRILATHA
Sr.Assistant Professor
Dept.of Computer Science and Engineering
Aditya University
 Course Contents

Unit – III Secure coding practices and OWASP Top 10:

Declarative Security, Programmatic Security, Concurrency,
Configuration, Cryptography, Input and Output Sanitization, Error
Handling, Input Validation, Logging and auditing, Session Management,
Exception Management, Safe APIs, Type Safety, Memory Management,
Tokenizing, Sandboxing, Static and dynamic testing, vulnerability
scanning and penetration testing.

14/11/2024 Course Name Faculty Name, Designation, Dept. 2

 Importance of secure coding practices:
• Secure coding practices are essential for building robust and resilient
software applications.
• By incorporating security considerations into the development
process, developers can mitigate potential vulnerabilities and protect
against malicious attacks.
• Secure coding helps safeguard sensitive data, ensures the integrity of
the system, and promotes trust among users.

14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE

3
 Overview of OWASP (Open Web Application Security Project):
• OWASP is a globally recognized nonprofit organization focused on
improving software security.
• It provides valuable resources, tools, and knowledge to help
developers build secure applications.
• OWASP offers the OWASP Top 10, a regularly updated list of the most
critical security risks faced by web applications.
• The OWASP Top 10 serves as a guide to prioritize security efforts and
address common vulnerabilities effectively.

14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE

4
 Declarative Security
Definition and examples:
• Declarative security involves specifying security requirements and
policies using high-level, declarative statements rather than
implementing security measures directly in the code.
• It allows developers to express security constraints and rules in a
more concise and understandable manner.
• Declarative security can be applied to various aspects of an
application, including access control, data validation, and resource
protection.
14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE
5
 Examples of declarative security
1. Role-based Access Control (RBAC):
• Defining roles and permissions using configuration files or
annotations, and associating them with specific functionalities or
resources in the application.
2. Data Validation Rules: Specifying validation rules for input data using
declarative statements, such as regular expressions or predefined
constraints, which can be enforced automatically.
3. Resource Protection: Configuring security policies to control access
to resources, such as files, databases, or APIs, by defining declarative
access rules based on user roles or privileges.

14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE

6
 Programmatic Security
Definition and examples:
• Programmatic security involves implementing security measures
within the application's code logic.
• It requires developers to write code that enforces security controls,
handles authentication and authorization, validates inputs, and
protects against common vulnerabilities.

14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE

7
 Examples of programmatic security practices include:

1. Authentication and Authorization: Implementing secure login

mechanisms, password hashing, and role-based access control (RBAC)
to ensure that only authorized users can access protected resources.
2. Input Validation: Validating and sanitizing user inputs to prevent
security vulnerabilities such as SQL injection, cross-site scripting (XSS),
or command injection.
3. Secure Communication: Implementing secure communication
protocols (e.g., HTTPS) to protect sensitive data during transmission
and prevent man-in-the-middle attacks.
14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE
8
 Comparision between Declarative & Programmatic Security
Aspect Declarative Security Programmatic Security
Definition Security constraints are defined Security is enforced through
using configuration files or explicit coding, with checks
annotations, without direct embedded within the application's
coding. codebase.
Through metadata such as XML Using security APIs or frameworks
Implementation files, annotations (e.g., to perform security checks in the
@RolesAllowed in Java EE). code.

Separation of Concerns: Keeps - High Flexibility: Supports

security separate from business dynamic and complex security
logic. logic.
Advantages - Centralized Management: Easy - Fine-Grained Control: Complete
to update policies in one place. control over security enforcement.
- Consistency: Uniform application
of security rules.

14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE

9
 Aspect Declarative Security Programmatic Security

- More Complex: Adds complexity

Limited Flexibility: Less suited for to the codebase.
dynamic or complex security needs. - Higher Risk of Errors: Increased
Disadvantages
- Less Control: Managed by the chance of bugs in security logic.
framework, not the developer. - Maintenance Overhead: Changes
require code modifications.

Flexibility Low to Medium High

Limited (managed by the

Control High (managed by the developer)
framework or server)

Easier to maintain due to More challenging to maintain due

Maintenance
centralized configuration. to embedded security logic.

14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE

10
 Concurrency
• Importance of secure coding in concurrent programming: Concurrent
programming involves the execution of multiple tasks or processes
simultaneously.
• Secure coding in concurrent environments is crucial to prevent race
conditions, data corruption, and unauthorized access to shared resources.
Techniques for secure concurrent programming include:
1. Synchronization: Using synchronization mechanisms such as locks,
semaphores, or monitors to control access to shared resources and
prevent data corruption.
2. Thread Safety: Designing thread-safe data structures and algorithms to
ensure that concurrent access does not result in unexpected behavior or
security vulnerabilities.
14/11/2024 Secure Coding Techniques P.Srilatha, Sr.Assistant Professor, CSE
11
 Thank You

14/11/2024 Course Name Faculty Name, Designation, Dept. 12