Secure Coding Practice Guidelines

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for application software security requirements.

Requirement

Resource Proprietors and Resource Custodians must ensure that secure coding practices, including security training and reviews, are incorporated into each phase of the software development life cycle.

Description of Risk

Unsafe coding practices result in costly vulnerabilities in application software that leads to the theft of sensitive data.

Recommendations

For applications to be designed and implemented with proper security requirements, secure coding practices and a focus on security risks must be integrated into day-to-day operations and the development processes. Application developers must complete secure coding requirements regardless of the device used for programming.

Application Security Training

A critical first step to develop a secure application is an effective training plan that allows developers to learn important secure coding principles and how they can be applied. Compliance with this control is assessed through Application Security Testing Program (required by MSSEI 6.2), which includes testing for secure coding principles described in OWASP Secure Coding Guidelines:

1. Input Validation
2. Output Encoding
3. Authentication and Password Management (includes secure handling of credentials by external services/scripts)
4. Session Management
5. Access Control
6. Cryptographic Practices
7. Error Handling and Logging
8. Data Protection
9. Communication Security
10. System Configuration
11. Database Security
12. File Management
13. Memory Management
14. General Coding Practices

While OWASP (Open Web Application Security Project) specifically references web applications, the secure coding principles outlined above should be applied to non-web applications as well. Please refer to OWASP Secure Coding Guidelines to see a more detailed description of each secure coding principle. OWASP also runs a Faux Bank demo site that shows the top 10 vulnerabilities along with blog posts explaining the intricacies of each vulnerability.

Listed below are examples of training courses that can be used to gain proficiency in secure coding principles:

• SANS Software Security Training
  • Defending Web Applications Security Essentials (live/online)
  • Secure Coding in Java/JEE (live/online)
  • Secure Coding in .NET (live/online)
  • Secure Coding in C & C++ (live only)
  • Secure Coding in C and C++(live only)

  Alternately, relevant books and reading material can also be used to develop proficiency in secure coding principles, provided that sufficient time is allocated to staff for self-study.

  • Software Security: Building Security In
  • Writing Secure Code (also available to UC Berkeley staff for free on Books 24x7)

  Secure Coding Practices

  Secure coding practices must be incorporated into all life cycle stages of an application development process. The following minimum set of secure coding practices should be implemented when developing and deploying covered applications:

  1. Formalize and document the software development life cycle (SDLC) processes to incorporate a major component of a development process:
     • Requirements
     • Architecture and Design
     • Implementation
     • Testing
     • Deployment
     • Maintenance

  While there is no campus standard or prescriptive model for SDLC methodologies, the resource proprietor and resource custodian should ensure the above major components of a development process are defined in respect to the adopted development methodology, which could be traditional waterfall model, agile or other models.

  1. Integrate secure coding principles into SDLC components by providing a general description of how the secure coding principles are addressed in Architecture and Design documents. If a secure coding principle is not applicable to the project, this should be explicitly documented along with a brief explanation.
     
  2. Perform automated application security testing as part of the overall application testing process. See Relevant Campus Services for details of automated application security testing service offered by ISO.
     
  3. Development and testing environments should redact all sensitive data or use de-identified data.

  Relevant Campus Services

  ISO Application Vulnerability Assessment

  The Information Security Office (ISO) will help you evaluate your web-based application’s security posture by scanning it with an automated application vulnerability scanner and review the scanner findings with a designated representative from your unit. For details of the service, please visit the service overview page.

  Code Review

  (The following links are provided for information and planning purposes. The requirement to conduct code reviews will become effective July 1, 2014, and will not be included in MSSEI assessments prior to that time.)

  Additional Resources

  • OWASP Development Guide
  • OWASP Faux Bank Project
  • CERT Secure Coding Resources
  • Homeland Security Secure Coding Site