WHAT DEVELOPERS

DON’T KN OW
AB OUT S E C UR I TY
(B U T S H OUL D)
WHAT YOU D O N’ T
KNOW A B OU T SEC U RI T Y
CAN H U RT YOU
Application security is no longer a nice-to-have.
Your organization might be looking to adopt a DevOps
methodology to put operational and non-functional
requirements into your development process. Even if you’re
not yet using a DevOps process, security must be addressed
earlier in development, to keep security from becoming CO N TE N TS
a gate. Development must become secure development.
5 Application Risks and How to Prevent Them
DevOps needs to become DevSecOps.
• SQL Injection

From the individual developer’s point of view, that means • Cross-Site Scripting

security is becoming a job requirement. This guide will help • Insecure Crypto

you build your knowledge of the most common application • Weak Access Controls and
Credentials Management
security risks and how to prevent them. Plus, we’ll point you
• Vulnerable Open Source Components
to additional resources for a deeper dive into the security
issues we discuss here. 3 Foundations of Secure Code
• Technology
Let’s get started!
• Processes
• Security Training and Skills Development

Where to Go Next
5 APP L IC AT ION
R ISKS A N D H OW
TO PRE V E N T TH EM
Application-layer attacks have emerged as the
number one source of confirmed breaches,
according to Verizon, and the stakes are rising.

The WannaCry ransomware attack in May 2017

affected 300,000 computers in 150 countries.
Hospital systems across the UK were shut down,
which negatively impacted patient care. Six
weeks after WannaCry, a global cyberattack by
a destructive virus, known as Petya or NotPetya,
paralyzed thousands of organizations ­— including
hospitals, governments, utilities, and banks —
from Ukraine to Europe, Asia, the UK, and the
United States.

Even if a vulnerability doesn’t lead to a

worldwide cataclysm, an attacker exploiting
your application is not going to help your career.
Let’s look at five of the most common —
and most serious — application vulnerabilities,
their risks, and how to prevent them.

What Developers Don’t Know About Security (But Should) | 3

SQL Injection
VULNERABILITY RISKS PREVENTION AND REMEDIATION

SQL injection (SQLi) weaknesses occur when SQL injection is an OWASP Top 10 application Use parameterized queries. This type of
an application uses untrusted input data, such risk. Attackers can use SQL injection to query specifies placeholders for parameters,
as data entered into web form fields, as part access or delete data, change an application’s so that the database will always treat them
of a database query. When an application fails data-driven behavior, and do other as data, rather than part of a SQL command.
to properly sanitize this untrusted data before undesirable things. Prepared statements and object relational
adding it to a SQL query, an attacker can mappers make this easy for developers.
include their own SQL commands, which
the database will execute. Where prepared statements are unavailable,
remediate SQLi vulnerabilities by escaping
inputs before adding them to the query.
01 01010101001001010110101010 010 0110 0101010
1 01 010101011010100110010101010 010110 010101
01 0011001010101010010 01010110101010 010 0110
01 0101010101010101101010 0110 010101010 01011
U. S. PRESI DENTI A L ELECTI O N
0010101010011001010101010 010 01010110101010
See an SQL Injection
01 00110010101010101010101101010 0110 0101010
1 0 0101100101010100110 01010101010 010 0101011 Ahead of the 2016 U.S. presidential election, Example Cheat Sheet
01 010100100110010101010101010101101010 0110
01 0101010010110010101010 0110 01010101010 010 nation state-sponsored attackers used SQL injection
01 010110101010010011 0 010101010101010101101
01 00110010101010010110 010101010 0110 0101010
1 01 0 0100101011010101 0 010 0110 01010101010101
to compromise voter records databases in at least
01 011010100110010101010 010110 010101010 01111
two states, potentially allowing the attackers to
delete voter registration data and disrupt voting.

What Developers Don’t Know About Security (But Should) | 4

Cross-Site Scripting
VUL N E RA BI L IT Y
Cross-site scripting (XSS) vulnerabilities
occur when web applications don’t validate
and sanitize user input, and lack proper
encoding for the output. An attacker can
exploit XSS vulnerabilities to inject malicious
script into a vulnerable webpage using
HTML or JavaScript.
E BAY
In 2014, and again in 2017, cybercriminals exploited
a persistent XSS vulnerability in the eBay website
to embed malicious JavaScript in legitimate listings,
redirecting them to spoofed eBay login pages.
RI SKS
Cross-site scripting can be used to hijack
user accounts, spread worms and Trojans,
access browser history and clipboard
contents, control the browser remotely,
and scan and exploit intranet appliances
and applications.
What Developers Don’t Know About Security (But Should) | 5
PRE VE NTION AND RE ME DIATION
Always sanitize input from search fields
and forms, and convert user input to a
single character encoding before parsing.
Make sure all data is validated, filtered,
or escaped before it is sent back to the user,
such as the values of query parameters in
searches.
Use the appropriate escaping method for
the application’s context. HTML encode all
user input returned as part of HTML. URL
encode all user input returned as part of URLs.
Convert special characters and spaces to their
respective HTML or URL encoded equivalents.
See an Cross-Site Scripting
Example Cheat Sheet
Insecure Crypto
VUL N E RA BI L IT Y RI SKS PRE VE NTION AND RE ME DIATION

Encryption technologies are one of the
essential elements of any secure computing
environment. However, coding secure
crypto can be difficult due to the number
of parameters that you need to configure.
Even a tiny misconfiguration will leave an
entire crypto-system open to attacks.
Insecure crypto can lead to lost or destroyed
data, including some of your most sensitive
information (e.g., personally identifiable
information such as Social Security numbers,
or bank or credit card details).
Use security-focused open source libraries
to introduce security controls into your
application, including the OWASP Enterprise
Security API and OWASP Java Encoder
Project.
Most modern languages have implemented
crypto-libraries and modules, so choose
one based on your application’s language.

Remember, crypto is hard! Do not

be tempted to implement your own
SO NY homegrown libraries if you can leverage
In 2010, hackers revealed that it was possible to steal one of the libraries noted above.
the private key used by Sony to sign software for
PlayStation 3, because of an improperly configured
How Use Java Encryption
random number generator (RNG). to Securely

What Developers Don’t Know About Security (But Should) | 6

Weak Access Controls
and Credentials
Management

VUL N E RA BI L IT Y RI SKS PRE VE NTION AND RE ME DIATION

Weak access controls include a poor
password policy, such as a lack of two-factor
authentication or account lockout after a series
of failed password entries. Failure to enforce
the principle of least privilege gives users
more access than they need, opening up more
Attackers can manipulate data and systems,
dupe users into loading malware onto the
system, or steal personal and confidential
data, such as banking information and Social
Security numbers. Poor password storage
can lead to account takeovers.
Enforce strong authentication/authorization
with two-factor authentication and account
lockout after too many failed attempts, and
by auditing logins (e.g., IP addresses).
Lock down administrative accounts

security risks. Poor credentials management and controls.

includes insecure password storage.

Follow the principle of least privilege.
Don’t give users more rights than they need.

How Create a Strong

MOL IN A H EA LTH CA RE
to Password Policy
Molina Healthcare was exposing sensitive medical records of
its patients by failing to restrict URL access, storing records
at locations that anyone could access by changing the URL,
without the need for authentication.

What Developers Don’t Know About Security (But Should) | 7

Vulnerable Open
Source Components
VUL N E RA BI L IT Y RI SKS PRE VE NTION AND RE ME DIATION

Open source components speed development
cycles by providing ready-made code. But
open source (and commercial, third-party)
components come with risks. They may not
have had the same level of scrutiny as code
developed in-house. Pinpointing the location
of all containers, components, and libraries
Open source code presents all the same
risks as code developed in-house, but it can
be much more difficult to maintain visibility
into what components you’re using and
where. This can lead to the presence of
vulnerabilities in components that remain
hidden for a long time.
Keep an up-to-date inventory of all the
components you use in your applications,
so vulnerability managers can update
components to secure versions when new
vulnerabilities are disclosed.
Automated software composition analysis

may delay discovery of vulnerabilities. makes inventory updates easy by collecting

information about your application’s open
source components at the same time static
analysis is conducted.

CAN A DA RE V E N U E AG E N CY
How Reduce Risk from Open
In March 2017, attackers exploited a critical code injection
to Source Components
vulnerability in the Apache Struts 2 library to gain unfettered
access to a web server of the Canada Revenue Agency,
putting Canadian taxpayers at risk of identity theft and fraud.

What Developers Don’t Know About Security (But Should) | 8

 Technology

3 FOU N DAT IO N S
OF SE C U R E CO D E

You simply can’t improve

the security of your code
Processes
without the foundations of
the right technology suite,
organizational processes and
culture, and ongoing training
to back you up. Let’s look
at what you need in each
of these categories. Security Training and
Skills Development

What Developers Don’t Know About Security (But Should) | 9

Technology
To prevent security from
becoming a hindrance to
you, it must be automated
and embedded within the
development lifecycle. If
your security or IT team
controls the procurement
of AppSec tools, ask them
to make those tools freely
available for your use.
The following AppSec
technologies will help you
get the job done:
Contextual scanning and remediation guidance as you code will help you deliver the best results,
without slowing you down with rework.
Software composition analysis that complements static scanning automatically checks that
you’re only using secure versions of components.
Developer sandboxes allow you to repeatedly test your code against policy before check-in,
without raising alarms to the security team or affecting the compliance of the application in
production.
Integrations with the development, build, and ticketing tools you’re already using mean you don’t
have to change environments to open a separate tool (that can be annoying!). Testing tools that
integrate with bug tracking tools automatically open tickets in your backlog for new security
issues, ensuring that nothing falls through the cracks.
Ask for testing tools with low false positive rates, to avoid unnecessary work.
Infographic Securing the Software Development Pipeline
What Developers Don’t Know About Security (But Should) | 10
Processes
As organizations look
to evolve to a more
sophisticated DevSecOps
approach, you’ll need to
adjust to a new culture,
with changing workflows
and processes. You should
advocate for processes
that ensure you’re
successful in meeting
your security goals,
including these:
Security policies based on the organization’s acceptable risk need to be clearly defined and
communicated. Scanning tools should check policy compliance as part of an automated process.
Peer code reviews and remediation guidance from your internal security experts or security
vendors will help you fix what you find, improve your skills, and boost compliance.
Security metrics should be visible enterprise-wide for every stakeholder in the organization.
Measuring progress helps you create feedback loops for continuous improvement of code
(it helps improve processes, too).
Procedures for dealing with problems ensure security issues don’t get left until the end
of the process. Create policies around when to escalate issues to the security team.
Listicle 5 Ways to Find Your AppSec Zen
What Developers Don’t Know About Security (But Should) | 11
Security Training and
Skills Development
New threats are
always emerging,
but cyberattackers
continue to rely on some
tried-and-true methods,
such as SQL injection and
cross-site scripting.
To maintain and extend
your security skills, work
with security teams to
implement the following:
On-demand, video-based courses you can access while you code help you get the job done.
Instructor-led training and eLearning courses will build your skills over time.
Peer-led training and events, such as learning lunches, go a long way toward boosting
your awareness and security knowledge, and help create a culture of security.
Security champions — this could be you, or another member of the development team
with an interest in security — can be the security conscience of your team, bringing a focus
to security at every stage of the development lifecycle.
Capture the Flag and Red Team/Blue Team exercises aren’t just fun and exciting, they can help
find vulnerabilities and build a culture of awareness.
If you’re really serious about becoming a security expert, try to participate in internal or third-party
bug bounties. The recognition is a reward in itself, but there could also be monetary prizes!
Blog Learn About Training That Actually Helps
What Developers Don’t Know About Security (But Should) | 12
W H ER E TO GO NEX T
Security knowledge is becoming a
core requirement for developers.
Your role is evolving, and you need
skills to cover the full spectrum
of secure software development
from the ground up — you need to
understand how your role fits into
the broader picture of DevSecOps.
When you invest in your own
security knowledge, you’ll
ultimately boost your value for
your company. And maintaining
your security skills will bring you
rewards, including the respect
of your peers and managers,
and keep you in demand for
the top jobs.
R ECOM M EN D ED R E S O U R C E S
V I SI T
Veracode Application Security Knowledge Base
OWASP Cheat Sheet Series
OWASP Top 10 Proactive Controls
REA D
“The Tangled Web: A Guide to Securing Modern Web Applications,”
by Michal Zalewski
“Dark Territory: The Secret History of Cyber War,”
by Fred Kaplan
“Secure Java: For Web Application Development,”
by Abhay Bhargav and B. V. Kumar
WATCH
Understanding Applications in the Security Ecosystem
The Human Side of DevSecOps: Creating Security Champions
What Developers Don’t Know About Security (But Should) | 13
 DOWNLOAD NOW
THE DEVELOPER S GUIDE TO THE

DE VSECOPS
GA LAXY
The Developer’s Guide
to the DevSecOps Galaxy

CONTACT US TODAY

LEARN MORE AT
VERACODE.COM