Writing secure code is challenging, especially when there is hardly any guidance for developers, especially new ones, on how to code securely. It is evident when many Computer Science programs at universities do not offer a course on application security or secure coding practices, which explains why many developers have to “figure it out” and seek training from alternative options like OWASP and coding mentors.

The secure coding problem is why modern frameworks and libraries that implement security mechanisms by default are instrumental to developers who need to secure their applications’ code. As innovation continues to make the world go ’round and cybersecurity threats continue to increase and are here to stay, startups will face issues such as how they will secure their applications while quickly creating apps, meeting deadlines, and boosting productivity.

In our digital age and modern world filled with innovation, developers will continue to build web applications for enterprises and startups. Because startups are not as established nor have as much financial resources as a successful large corporation that has been around for decades, cybersecurity for startups is critical. 

Software development security is vital for any startup to thrive that develops web applications, especially when the web application is the number one attack vector, according to Verizon’s 2022 Data Breach Investigations Report (DBIR). Ignoring it can lead to detrimental results.

Luckily, secure software development for startups is now more convenient and possible with modern software frameworks that implement security such as:

• Spring Security
• Django
• CakePHP
• Angular
• React
• Laravel
• .NET

Before diving into these modern software frameworks and how they work and implement security, I will cover secure code best practices, the OWASP Top 10, training developers on how to write secure code, and the software development lifecycle (SDLC). 

Secure Coding Practices

Application security requires secure coding practices for implementation into the software development life cycle of SDLC. Following the best secure coding practices reduces security risks of threats and vulnerabilities, especially when done in the early stages of the SDLC rather than after a software package is completed. 

The OWASP Secure Coding Practices offers a checklist for developers to follow to maintain the confidentiality, integrity, and availability (CIA triad) of information resources. You can check out a more detailed overview of this checklist here. 

OWASP Secure Coding Practices Checklist covers:

• Input Validation 
• Output Encoding 
• Authentication and Password Management
• Session Management 
• Access Control 
• Cryptographic Practices 
• Error Handling and Logging 
• Data Protection
• Communication Security
• System Configuration
• Database Security 
• File Management
• Memory Management
• General Coding Practices

Most importantly, follow the regularly updated OWASP Top 10 guidelines to prevent critical security risks in web applications.

OWASP Top 10

The top 10 most critical risks in web applications are outlined by the OWASP Top 10, which provides remediation guidance. It is an excellent step for incorporating software development security for any organization or startup, and stays up-to-date with changes in the cyber landscape of threats and vulnerabilities.

As of July 2022, the OWASP Top 10 are:

• A01:2021-Broken Access Control 
• A02:2021-Cryptographic Failures 
• A03:2021-Injection 
• A04:2021-Insecure Design
• A05:2021-Security Misconfiguration 
• A06:2021-Vulnerable and Outdated Components 
• A07:2021-Identification and Authentication Failures
• A08:2021-Software and Data Integrity Failures 
• A09:2021-Security Logging and Monitoring Failures 
• A10:2021-Server-Side Request Forgery

Education

Training new developers to write secure code is challenging and begins with covering the basics, such as understanding threat modeling and the STRIDE threat model. Application security engineer Jet “Code Doctor” Anderson taught software developers to write secure code and has once advised me (and in his blog) to begin with “lite” threat modeling when learning secure coding.

Three questions to ask for light threat modeling:

1. What could go wrong?
2. What will happen if it does?
3. How can I avoid this?

Next, know what the STRIDE threat model is. It can help you identify known threats to be aware of when writing secure code.

STRIDE stands for:

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of Service
• Elevation of Privilege

Learn about the OWASP Application Security Verification Standard (ASVS) that you can download here, which provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

Software Development Life Cycle (SDLC) and Secure SDLC (SSDLC)

The software development life cycle (SDLC) contains seven stages developers follow for software design, development, and testing. It is a model that covers the life cycle of software from its beginning to completion. A secure SDLC or SSDLC helps developers adhere to secure code practices in every development stage from start to finish. Security risks and threats can be minimized or reduced when developers follow the SSDLC, especially when implementing it during the early stages of software development rather than after software has been released.

The 7 stages of the software development life cycle (SDLC) are:

1. Planning
2. Systems Analysis & Requirements
3. Design & Prototyping
4. Development
5. Testing
6. Implementation & Integration
7. Operations & Maintenance

A “Shift-Left” Approach

Shift-left is a concept or approach that derives from the idea that software testing in the early stages of software development rather than in the later stages can eliminate insecure code and vulnerabilities more effectively. If you view the SDLC as a spectrum, the early stages are on the left-hand side, and the later stages are on the right-hand side. Thus, it is ideal to have a “shift-left” approach in the SSDLC.

Develop Securely with Modern Software Frameworks

Develop web applications securely with modern software frameworks and libraries. An overview of the most popular and secure modern software frameworks and libraries can help determine which fits the best approach in software development for startups. These modern software frameworks listed below are Spring Security, Django, CakePHP, Angular, React, Laravel, and .NET.

Java Spring Security

Java Spring Security or Spring Security is a reliable, extensively-tested, open-source Java/Java EE framework founded in late 2003 by software engineer Dr. Ben Alex initially as Acegi Security before being renamed Spring Security. Its core features focus on adding authentication and authorization securely to your web application, including other security features that offer protection from common exploits for enterprise applications. 

Whether for an enterprise or cybersecurity for startups, Spring Security is the primary choice for implementing application-layer security in Spring applications and is notably reliable and fast. Google, Amazon, and Netflix, as well as many governments, banking, and military installations, utilize the framework for that reason. 

Robust Authentication and Authorization

Spring Security is a highly customizable authentication and access-control framework out-of-the-box that has all the tools you need to develop rapidly and focus on your application logic. It has multiple authentication and authorization strategies offering flexible options to select from that may fit any enterprise or startup’s needs.

Spring Security leverages these robust authentication and authorization strategies:

• Basic and Form Authentication
• OAuth2 and OpenID Connect
• LDAP (Lightweight Directory Access Protocol)
• JWT (JSON Web Tokens)

Protects against cross-site scripting (XSS) and other threats

Aside from implementing secure authentication and authorization, Spring Security protects your web applications from common threats such as cross-site scripting (XSS) and cross-site request forgery (CSRF).

Spring Security offers protection against these common threats: 

• Session fixation
• Clickjacking
• Cross-site request forgery (CSRF)
• Cross-site scripting (XSS)

Spring Security also includes other security features, such as a sign-up feature that securely encrypts passwords using BCrypt rather than saving user passwords in cleartext without any hashing. 

Django

Django is an open-source Python full-stack web framework first released in 2005 that follows the model-template-view (MVT) architectural pattern. It offers features by default that enable the rapid development of secure websites due to its speedy performance and extreme scalability, along with an emphasis on software development security which assists developers in avoiding common security mistakes. 

Django handles user authentication, content administration, site maps, RSS feeds, and many more tasks out-of-the-box. Giant companies such as YouTube, Instagram, Robinhood, Spotify, NASA, Dropbox, and Udemy are among many companies that use Django due to its simplicity, security, and scalability.

Django offers protection against these common threats and vulnerabilities: 

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• SQL injection
• Clickjacking
• Session fixation and hacking
• Mass assignment
  

For vulnerabilities such as mass assignment, a web application’s object-relational mapping (ORM) interface is exploited by a threat actor who changes information (e.g., passwords, session keys, cookie data, permissions, and admin access) that shouldn’t be changed in a database.

A typical request or functionality like this (see code example below) becomes exploitable when a threat actor can guess or brute force common yet sensitive fields, has access to source code and can review its models for sensitive fields (via a bot scanner that finds sensitive fields on GitHub for example), and when an object with sensitive fields has an empty constructor or setter.

POST /addUser HTTP/1.1userid=hashedtables&password=hashedpass&email=user@zigrin.com And, here is the exploit(isAdmin=true): POST /addUser HTTP/1.1userid=hashtables&password=hashedpass&email=user@zigrin.com&isAdmin=true

Django can offer protection and block threats like this by using Forms and whitelisting the fields that auser can modify and blacklisting the fields that cannot be modified.

from Django import formsfrom myapp.models import Whatzit class UserForm(forms.ModelForm):   class Meta(object):       model = User       fields = ('username', 'password', 'email')

CakePHP

CakePHP is an open-source rapid development PHP web framework created in April 2005 that follows the model-view-controller (MVC) pattern. CakePHP is the most appropriate choice for building big-scale websites and web applications simply, rapidly, and securely while requiring less code. It contains general-purpose utility libraries and core components that handle access control lists (ACLs), authentication, cookies, email, request handling, sessions, and security. 

CakePHP is well known for its software engineering concepts and design patterns: convention over configuration (works from any website directory and requires little to no configuration of Apache or other web server), MVC, active record, association data mapping, and front controller. Although it has a steep learning curve compared to other frameworks, CakePHP is as robust as Ruby on Rails, adopting many of its concepts. Since it uses an MVC pattern, the CakePHP framework can easily craft application tasks into separate models, views, and controllers, which makes your application very light and easy to add features. Additionally, it offers customization and modularity, including the reuse of code.

Most secure PHP framework

CakePHP has multiple security mechanisms implemented in web applications. They include built-in validation, data sanitization, CSRF and form tampering protection. CakePHP also contains general-purpose utility libraries like HttpSocket, router, and XML, to name a few, and a security library that handles basic security measures for hashing and encrypting data. CakePHP is highly efficient as it reduces the time it takes for development and prototyping, increases productivity on your web applications, and protects web apps against security threats.

List of common threats CakePHP protects against out-of-the-box:

• Form tampering
• Cross-site request forgery (CSRF)
• SQL injection
• Cross-site scripting (XSS)

Aside from protecting against these common threats, CakePHP provides more security by restricting what HTTP methods your application can accept and requires the usage of SSL. Additionally, it limits cross-controller communication in web applications and performs input validation. CakePHP has many advantages, including its security features, which is why it is a favorite choice of many PHP developers.

Angular

Angular is a free, open-source JavaScript web application framework created by Google and released in 2016, written in TypeScript as a complete rewrite of AngularJS, and contains built-in protections against common web application vulnerabilities and attacks. Angular uses a full-fledged model-view-controller (MVC) pattern. Its primary purpose is to develop single-page applications (SPAs) for mobile and desktop devices and solve Google-scale problems while offering code reusability and enabling faster development, easy testing, and lighter, faster apps.

JavaScript is not ideal for developing single-page applications requiring modularity, testability, and developer productivity. Because of this, TypeScript was the programming language used to rewrite AngularJS since it defines a set of types to the JavaScript programming language, helping users write JavaScript code that is easier to understand and is ideal for single-page applications. TypeScript code compiles with JavaScript and runs smoothly on any platform. Gmail, PayPal, Forbes, Microsoft Office, and UpWork use the Angular framework in their web app development pipeline.

In April 2020, Forbes used Angular for its website and achieved 173.5 million page visits due to its fast page loading time and responsive user experience. PayPal used Angular to architect dynamic web pages that support real-time feeds of PayPal transaction data. These are a couple of examples that prove how successful Angular is when used for single-page web applications.

Built-in Security Protects Against Two Common HTTP Vulnerabilities

Angular has built-in protection from two common HTTP vulnerabilities, 1) cross-site request forgery (CSRF) and 2) cross-site script inclusion (XSSI), which are critical to mitigate primarily on the server side, while Angular makes integration on the client side easier. 

A cross-site script inclusion (XSSI), also known as JSON vulnerability, allows an attacker’s website to read data from a JSON API. XSSI attacks work on older browsers by overriding built-in JavaScript object constructors and including an API URL using a

Recent Posts

• 

  What do Cyber Threat Actors do with your information?

  October 11, 2023
• 

  As an AI Language Model, Please Have Mercy on Me

  September 13, 2023
• 

  Black-box vs. Grey-box vs. White-box: Which Penetration Test Is Right for You?

  August 9, 2023

Tags

AI backup security Cake PHP security centralized logging cybersecurity cybersecurity for startups cybersecurity research data protection solutions data security edge security http security headers password mangers penetration testing pentest report secure containerization secure software development security patches software development best practices sse security startup tips two-factor authentication vulnerability patching web application security white box XSS