Question

List of weakness

You can find below the list of issues:

• Hardcoded credentials or secrets
• Information leak
• Missing security flags
• Weak password hashing mechanism
• Cross-Site Scripting
• No CSRF protection
• Directory listing
• Crypto issue
• Signature bypass
• Authentication bypass
• Authorization bypass
• Remote Code Execution

write a description of the major threats, vulnerabilities and best practices in software coding and programming?

Answer 1

Answer:

Major threats and vulnerabilities in software coding and programming :-

* Information Leak - Information is very crucial aspect in coding environment as information is the main building block of every software and it could contain any king of sensitive information. information leak is the major threat to the software as it can lead to huge loss of the company who owned the software.

* weak password hashing mechanism - If the system password encryption algorithm is not strong then it is very easy for hackers to crack the system's user and password and that will beach the systems security.

* Signature bypass,Authentication bypass,Authorization bypass - digital signature, authorization, authentication techniques are used to verify the User information if these techniques are bypassed then there is no way to verify the user and it would be very difficult for the system to check whether the dedicated user is using the system or not this could breaks the system;s security.

best practices for programming -

* Requirement

Resource Proprietors and Resource Custodians must ensure that secure coding practices, including security training and reviews, are incorporated into each phase of the software development life cycle.

* Description of Risk

Unsafe coding practices result in costly vulnerabilities in application software that leads to the theft of sensitive data.

* Recommendations

For applications to be designed and implemented with proper security requirements, secure coding practices and a focus on security risks must be integrated into day-to-day operations and the development processes. Application developers must complete secure coding requirements regardless of the device used for programming.

* Application Security Training

A critical first step to develop a secure application is an effective training plan that allows developers to learn important secure coding principles and how they can be applied. Compliance with this control is assessed through Application Security Testing Program. aspects of training;

1. Input Validation
2. Output Encoding
3. Authentication and Password Management (includes secure handling of credentials by external services/scripts)
4. Session Management
5. Access Control
6. Cryptographic Practices
7. Error Handling and Logging
8. Data Protection
9. Communication Security
10. System Configuration
11. Database Security
12. File Management
13. Memory Management
14. General Coding Practices

While OWASP (Open Web Application Security Project) specifically references web applications, the secure coding principles outlined above should be applied to non-web applications as well.  

* Secure Coding Practices

Secure coding practices must be incorporated into all life cycle stages of an application development process. The following minimum set of secure coding practices should be implemented when developing and deploying covered applications:

1. Formalize and document the software development life cycle (SDLC) processes to incorporate a major component of a development process:
   • Requirements(link is external)
   • Architecture and Design(link is external)
   • Implementation(link is external)
   • Testing(link is external)
   • Deployment(link is external)
   • Maintenance(link is external)

While there is no campus standard or prescriptive model for SDLC methodologies, the resource proprietor and resource custodian should ensure the above major components of a development process are defined in respect to the adopted development methodology, which could be traditional waterfall model, agile or other models.

1. Integrate secure coding principles into SDLC components by providing a general description of how the secure coding principles are addressed in Architecture and Design documents. If a secure coding principle is not applicable to the project, this should be explicitly documented along with a brief explanation.
   
2. Perform automated application security testing as part of the overall application testing process. See Relevant Campus Services for details of automated application security testing service offered by ISO.
   
3. Development and testing environments should redact all sensitive data or use de-identified data.

* Code Review

manually review your code and check for vulnerabilities in your code.