Resources, best practices, tools, and techniques
Resources, best practices, tools, and techniques
Traditionally, security has not been a substantial focus area for developers (something that is changing but arguably not fast enough). However, with more frequent news about cyber attacks and ransomware, ensuring that code is as safe and secure as possible must become a priority. This applies to both open-source software and proprietary software.
Fortunately, there is a raft of resources, best practices, tools, and techniques that can help make the software development process more secure without creating too much additional workload for already busy teams. For instance, for C and C++ (predominantly used in IoT and embedded systems), coding standards provide users with a set of guidelines against which they can confidently develop code. Examples of coding standards include CERT and MISRA. Besides spotting deviations that could create vulnerabilities, coding standards support regulation and compliance.
Indeed, in some instances, the use of a coding standard is mandated as part of compliance processes (such as the ISO26262 standard, which applies to automotive software development). Of course, as busy people, developers do not want additional workload, so they typically apply coding standards using static analysis tools, which automatically inspect code for deviations while the software is being developed.
Also known as static application security testing (SAST), this can analyse thousands or even millions of lines of code rapidly.
For C and C++ (predominantly used in IoT and embedded systems), coding standards provide users with a set of guidelines against which they can confidently develop code
As far as open-source security is concerned, the availability of thousands of libraries is a double-edged sword. While they give software developers access to some tremendously complex functionality, these libraries are also showcases for potential vulnerabilities, which in turn can be exploited. Fortunately, the open-source community is generally excellent at reporting and fixing vulnerabilities fast and sharing that knowledge freely. Examples of open-source organisations sharing the knowledge include OWASP Top 10, National Vulnerability Database, and the Open Source Security Foundation.
Of course, the onus is on organisations to stay up to date, support the open-source software there are using, and apply software patches that address defects and vulnerabilities. Various tools can help identify vulnerabilities early in the software development...