In this article, we are going to look at IT Security vs. Secure coding practices. We are going to look at IT Security and how secure coding can be implemented to enforce IT Security. Before we can talk about secure coding, we need to look at IT Security first and get to understand what it means and what it includes.
Information Technology (IT) Security
IT Security refers to the protection of information assets and sensitive data from unauthorized access, data breach, and data tampering from internal or external attackers.
IT Security deals with all Information Technology devices which include databases, software applications, and servers. Its main object is to maintain Confidentiality, Integrity, and Availability (C.I.A).
IT Security Threats
Today, the business world has taken a dramatic turn to Information Technology, where you find that most business exploits are being done technologically, from meetings to file sharing. This sudden turn of events has brought about the Internet of Things (IoT), and with it comes a bundle of risks to organizational data. Today's businesses have to find ways to mitigate the below-listed risk factors:
- Data Breach
- Virus Attacks
- Spyware
- Ransomware
- Hacking
- Networking attacks
- Insider Threats
- Cloud abuse
- Single Factor Passwords
- Shadow IT
It is not a coincidence that these threats arise in the current status quo. Some of the threats/risks had already existed whilst some improved and some developed with the current changes.
Types of IT Security
Network security
This refers to security, which is applied to hardware and software IT devices operating on a network from unauthorized access, misuse, improper usage creating a safe platform for users to share data, and perform duties without fear of losing or exposing sensitive data. This includes the implementation of two-factor authentication and end-to-end encryption using services such as Transport layer security, etc.
Internet Security
This type of security deals with the protection of users on the Internet from attacks such as Malware, DDoS, and Spyware. The use of Firewalls, Antispyware/Antimalware may be used to implement safe internet browsing in organizations.
Cloud Security
This is concerned with the protection of data that is stored on online computing platforms from a data breach, leakage, theft, or any type of manipulation. Cloud-based Unified threat management may be used to ensure safety with cloud platforms.
Endpoint Security
This type of security ensures that organizational devices do not access harmful networks which will harm organizational devices.
Application Security
This level of security entails the application of security measures to all the software applications in use within the organization. It involves scanning of all applications for vulnerabilities and allows the organization to mitigate the exposed threats before the application is deployed for public use.
Secure coding
Before we look at the attributes of secure coding it is very important to note that there is a distinguishable difference between the goals of a system developer and that of an attacker. Developers are concerned with what the application is intended to do i.e. Requirements Specifications. In other words, they are designing an application to meet the documented requirements and use cases. On the other hand, the attacker is concerned with what the application can be diverted to do and uses a principle that 'any action not specifically denied, is allowed'. This realization means that some additional aspects need to be added to the stages of the software lifecycle and these aspects are security requirements and possible abuse cases.
Input Validation
All data should be validated especially input data from users. Input data should be regulated with specified length and type. It should be checked for new line characters (%0d,%0a,\r,\n) and null bytes (%00) as these can be used in malicious attacks.
Authentication and Password Management
Proper authentication should be implemented at the page level and for all application resources which are meant to be private. Do not store open passwords in the database, make sure you use hashed passwords. The organization should try and come up with a password policy that ensures that everyone has a strong password which is at least 10 characters and contains upper and lower case letters and at least a single special character.
Session Management
Ensure that sessions are managed securely. Secure sessions have specific timelines and the tokens are recreated each time a user logs out and logs in again. Developers should make sure that they do not make use of the default SessionIds and try and replace the defaults with something unique and do not give out too much information about the application’s back-end details and set session cookies with the HTTPOnly attribute.
Error Handling and LoggingThe application must not give out sensitive information in error responses.