Encoding output
Ensuring authentication and credential management
Managing sessions
Using access control lists
Monitoring error handling and logging
Protecting data, including files, databases, and memory
Code review: Code review is one of the most essential steps in
securing an application. Usually, the rule that you have to keep in mind
is that pen testing and other forms of testing should not be discovering
new vulnerabilities. Code review has to be a way to make sure that an
application is self-defending. Also, it should be conducted using a
combination of tools and human effort. It is important to designate a
security lead who can help review code from a security point of view.
Secure tooling: Static analysis helps catch vulnerabilities. Static
analysis tools detect errors or potential errors in the structure of a
program and can be useful for documentation or understanding a
program. Static analysis is a very cost-effective way of discovering
errors. Data flow analysis is a form of static analysis that concentrates
on the use of data by programs and detects some data flow anomalies.
Dlint (see https://github.com/duo-labs/dlint) is a tool from Duo Labs
(Cisco) that defines and checks for common best practices when it
comes to writing secure Python. To evaluate a variety of rules over a
code base, Dlint leverages Flake8. Flake8 does the heavy lifting of
parsing Python’s AST, allowing you to focus on writing robust rule sets.
Testing: Testing includes penetration (pen) testing and system testing,
black box testing, and white box testing. Black box testing is a method
used to test software without knowing the internal structure of the code
or program. Testing teams usually do this type of testing, and
programming knowledge is not required. Black box testing includes
functional testing, behavior testing, and closed box testing. White box
testing, on the other hand, is a software testing method in which
internal structure is known to the tester who is testing the software.
Generally, this type of testing is carried out by software developers.
Programming knowledge is usually required for white box testing.
White box testing includes structural testing, logic testing, path testing,
loop testing, code coverage testing, and open box testing.
Testing involves the following steps:
Intelligence gathering: Define the goals, understand what’s
included in the application, and identify potential areas of
vulnerabilities.
Scanning: Understand both running and non-running behaviors.
Static analysis tools enable developers and testers to see faults
without actually running an application. These tools can save a lot
of time and effort in the long run, and the more errors and defects
found here, the better. Dynamic analysis, on the other hand,
involves actually running the application in a real or virtual
environment. Usually, a lot of external services and interactions
are exercised here.