What is Secure Coding?

Why Secure Coding is a Must

With experience running penetration tests for years, our security awareness experts estimate that more than 95% of the time there are vulnerabilities identified due to poor coding practices. One of the most serious vulnerabilities is when pen testers tell us they have found a hole in a web-facing application and that has opened a hole into the UPS system of their organization.

Think about that scenario for a moment and the ramifications that could have occurred if a bad actor found this vulnerability. Developers must understand the risks of poor coding practices, and it is up to organizations to train them on how to develop secure code. OWASP is an authority on the subject, so OWASP training is the first step in the secure coding journey.

What is Secure Coding?

As we hear more news in relation to security incidents and data breaches, a stronger spotlight is being placed on the importance of secure coding. What is secure coding? What role does it play in an organization’s security stature? The answers to these questions are important when considering the security landscape of an organization.

When developers are learning to code, they are exposed to the “coding convention” for a specific programming language. These coding guidelines cover common issues that impact the readability and maintainability of the code, such as line length, indentation, commenting, and naming of variables. For example in C#, the convention for naming a method parameter is to use camelCase. Some coding conventions are related to ensuring the security of code, such as limiting the access that the code has to sensitive data resources. 

In development when a convention or guideline can be applied across multiple programming languages, it becomes a standard. Secure coding relies on standards, or a set of uniform guidelines, that software developers can apply to their code to provide safeguards against security vulnerabilities. The secure coding standards are set by a larger body or organization, rather than by programming language or project.

Why is Secure Coding Necessary for Organizations?

Development has become more complex. Many applications require multiple programming languages to perform the numerous tasks required to provide the user-friendly, rapid responses across multiple platforms consumers have come to expect. Multiple types of developers – e.g., web, mobile, front-end, back-end database, embedded systems, and cloud – may be required to complete a project. With each of these having their own coding conventions, it is essential there is a shared security standard across these stacks to ensure that they interface securely between each other and with the end user.

By having one unified set of standards, it is easier to define security protocols. Moreover, an entire community of web coders, project managers, security researchers and other thought leaders contribute to secure coding standards to provide their unique perspectives.

What is OWASP?

The best-known secure coding standard is OWASP, or the Open Web Applications Security Project. It is an online community of development professionals focused on web application security. The group was founded in 2001 and began publishing its best-known guide, the “OWASP Top 10,” in 2003. Its focus is on common, critical risks related to web application security. The Top 10 is updated every few years, based on feedback and new technologies. The latest version is the “OWASP Top Ten – 2017,” which was released in November 2017.

UPDATE as of 2021: As the industry awaits a new OWASP Top Ten release, delayed due to the COVID-19 pandemic, much of the 2017 version still applies. Read How OWASP Continues to Support Secure Coding Pending New Release for details.

What Does "Web Application Security" Encompass?​

It includes: 

  • web applications 
  • web sites 
  • web services, such as an API

With its focus on application security, the OWASP Top 10 is commonly referenced in, and supports, other industry-level security standards and protocols which contain a software development component, including:

  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Center for Internet Security (CIS)
  • Cloud Security Alliance (CSA)
  • National Institute for Standards and Technology (NIST)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Sarbanes Oxley (SOX)
  • International Organization of Standardization (ISO)
  • General Data Protection Regulation (GDPR)
  • Family Education Rights and Privacy Act (FERPA)

Although its name and description imply it is specifically for use by web application developers, the OWASP Top Ten impacts more than just your development teams. Every group that interfaces with and supports your development team(s) – designers, business analysts, project managers, product owners, etc. – should be aware of the OWASP secure coding standard and its impact on every aspect of the development lifecycle. Data and information security should be championed by leadership and developers empowered and encouraged to make the best development decisions for the product, and therefore, the organization.

As noted by OWASP, “Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.”

Secure Coding Training for Your Organization

Global Learning Systems offers role-based secure coding training that relates to the latest security threats. “Secure Coding with the OWASP Top 10 -2017” uses role-based scenarios for each of the Top 10 entries to introduce learners to the identified risk. The course offers a deep dive into the risk, including how it can introduced into code and the impact it can have. The learner also learns best practices for mitigating and/or avoiding the risk. The program is language and platform agnostic, but includes real world examples of code in multiple languages for learners to analyze.

CMYK_GLSIcon-Color1200px

Don't Let Your Code Get Compromised

What can YOU do to secure your organization's code?

Give your software and web application developers the knowledge they need to write secure code. Enroll them today in GLS’s Secure Coding with the OWASP Top 10 training course. OR sign them up for our SecureDev developer training, our interactive courses offered in partnership with Kontra Application Security. With GLS, we have your AppSec training covered across today’s most common coding languages

GLS Logo

SecureDev™

New App Sec Developer Training

GLS Logo
Front-End Exercises
React Angular Vue.js
Cross Site Request Forgery Cross Site Request Forgery Untrusted HTML Rendering XSS
Direct Dom Manipulation XSS Direct Dom Manipulation XSS Direct Dom Manipulation XSS
Components with Known Vulnerabilities Template Concatenation Cross Site Request Forgery
Untrusted HTML Rendering XSS Sanitization Misuse XSS Untrusted Template Usage XSS
GLS Logo
OWASP Top 10 – API – 2019
ID Topic Covered in SecureDev Modules Programming Languages Available
API1:2019 Broken Object Level Authorization Broken Object Level Authorization JAVA, C#, Python (Django), Python (Flask), Node.js, GO, PHP, Ruby on Rails, Scala, Kotlin
API2:2019 Broken User Authentication Broken User Authentication
API3:2019 Excessive Data Exposure Excessive Data Exposure
API4:2019 Lack of Resources & Rate Limiting Lack of Resources & Rate Limiting
API5:2019 Broken Function Level Authorization Broken Function Level Authorization
API6:2019 Mass Assignment Mass Assignment
API7:2019 Security Misconfiguration Security Misconfiguration
API8:2019 Injection Injection
API9:2019 Improper Assets Management Improper Assets Management
API10:2019 Insufficient Logging & Monitoring Insufficient Logging & Monitoring
GLS Logo
OWASP Top 10 – 2021
ID Topic Covered in SecureDev Modules Programming Languages Available
A01:2021 Broken Access Control Vertical Privilege Escalation Horizontal Privilege Escalation JAVA, C#, Python (Django), Python (Flask), Node.js, GO, PHP, Ruby on Rails, Scala, Kotlin
A02:2021 Cryptographic Failures Weak Randomness
A03:2021 Injection SQL Injection Command Injection Header Injection XML Injection
A04:2021 Insecure Design User Enumeration
A05:2021 Security Misconfiguration Leftover Debug Code
A06:2021 Broken Access Control Vertical Privilege Escalation Horizontal Privilege Escalation
A07:2021 Vulnerable and Outdated Components Session Fixation Forced Browsing
A08:2021 Software and Data Integrity Failures Reflected XSS
Forced Browsing
Stored Cross-Site Scripting
Insecure URL Redirect
Clickjacking
Directory Traversal
DOM XSS
Cross-site Request Forgery
A09:2021 Security Logging and Monitoring Failures PII Data in URL
Token Exposure in URL
A10:2021 Server-Side Request Forgery (SSRF) Server-Side Request Forgery
GLS Logo

Your download is complete!

Need more training?