The Poor State of Secure Coding

Steve Jones, 2017-06-06

Security is becoming a bigger issue all the time. More companies are getting hacked and losing control of data. It seems every week there's a new disclosure from some firm. Recently OneLogin had a breach, which is very disturbing as they provide a single sign on solution for customers. This year we've learned about E-Sports, XBOX, Playstation, IHG, Arby's, River City Media, Verifone, Dun and Bradstreet, and more.  At this point, there's no reason for any large organization to wonder if they'll get hacked. They should be preparingfor when they get hacked.

The state of coding is poor, with far too few developers understanding how to write secure code. Even trying to learn how to code securely is hard. Too many examples given show poor coding practices. If you search for secure coding practices, you'll get information, but none of the sample applications, none of the common information that most people would use to write code, is returned. This is especially true of data access, where far too many examples use dynamic strings.

Even if we had great developers, there are still issues. A look at a survey from O'Reilly and SIG shows that there are still plenty of companies that are interested in security, but don't perform reviews or use tools. Certainly many organizations don't invest in security tools or resources heavily, and many companies don't want to spend extra time worrying about security when there are features to build and deploy.

My wish is that large organizations would engage in constant pen testing and review of their systems, looking for vulnerabilities, and patching them. I would hope that insurance companies would start to deny claims when a patch for any software has been available for six months or longer. That might help reduce the number of issues from older libraries not being upgraded.

I would also expect that any vendor selling software engage in some security review for their products. In fact, I'd hope that once a company sells a certain number of units, this would be required. I'm still amazed that this isn't a requirement for purchase from more customers, but since most vendors don't bother, perhaps avoiding purchases of un-reviewed software isn't feasible. Maybe it's just as well; even if we did have some sort of review, how many of us would understand what that means? How many of you really understand what PCI or HIPAA compliance means? How well has that helped us? I guess things could be a lot worse than they are today.

Security is going to be an issue for a long time. All I can do is try to improve my own skills and ask you to do the same. Learn to code securely and try to improve the software you work on. It might only make a small difference, and you might never know if it helps, but I bet you'll feel better about your own work.





Related content

Lockdown or Let Them Free

Do we take security too far? Are we creating unnecessary rules for those that need to use the resources we support? Steve Jones talks today about security and how we might want to approach it when handling rights for developers.

4.5 (2)

Steve Jones

2014-06-27 (first published: 2009-09-21)

211 reads