1

Codacy Product Showcase: April 2024

Group 370
2

Codacy Security Adds Thousands of New SAST Rules With Semgrep Integration

Group 370
3

6 things developers should do to ship more secure code

In this article:
Subscribe to our blog:

Writing better, more secure source code is fundamental to prevent potential exploits and attacks that could undermine your software applications. However, writing secure code involves adopting a set of best practices and guidelines. These best practices will help you minimize the risk of security vulnerabilities.

In this blog post, we’ll explore 6 things developers should do to ensure the codebase is secure and the applications are safe from potential threats. 

#1 – Validate and sanitize input

Input validation is all about verifying that user input is valid and meets the format and constraints we expect. On the other hand, sanitization involves cleaning and filtering user input to remove potentially harmful or malicious data. Both techniques are essential to prevent Injection attacks.

One commonly used method for sanitizing inputs involves eliminating characters that could potentially be used to inject extra commands or alter the intended behavior of the initial command. You should also validate and sanitize inputs received from user fields and any input data from external sources such as APIs or databases.

#2 – Avoid taking shortcuts

Don’t be tempted to take shortcuts to release code into production faster. We know developers often have tight deadlines, but taking shortcuts can result in profound security implications. 

For example, attacks often occur when developers hardcode credentials and leave security tokens as comments. Of course, all this information should be cleaned from the codebase before your application is released and, ideally, not be there in the first place.

#3 – Have an effective error-handling strategy

A robust error-handling strategy can help you avoid security vulnerabilities and provide a smooth user experience, even in unforeseen situations. On the other hand, an inadequate error-handling approach can unintentionally disclose sensitive information to unauthorized users.

As such, developers should generate custom and generic error messages as substitutes for the standard ones. Then, consider your application’s potential errors and create a hierarchy that reflects those error types.

#4 – Use encryption and hashing with care

Encryption and hashing are crucial to protect sensitive information and ensure data integrity, that is, to guarantee that data has not been modified or corrupted during transmission or storage.

Instead of using custom algorithms that can introduce unknown vulnerabilities, developers should use strong and reliable algorithms such as AES and SHA-256. Plus, you should securely store cryptographic keys and change them regularly.

#5 – Implement and frequently review access control

With access control, you can guarantee that users or entities have the appropriate level of access. This includes authentication, authorization, and management of permissions and roles. When properly implemented, access control can help prevent unauthorized access to sensitive information and actions, such as viewing or modifying data, deleting files, or running source code.

Several best practices for implementing access control exist, like the principle of least privilege and  role-based access. The former gives users only the access rights they need to perform their tasks. The latter assigns permissions to users based on their roles and responsibilities within the system, with each role having specific access permissions.

#6 – Log relevant information

Logging helps developers monitor and detect security incidents and vulnerabilities in their applications. 

By logging relevant information on user interactions, system events, and errors, developers can gain insights into how their application is used and detect unusual behavior that could indicate an attack. Plus, logs can pinpoint the underlying cause of errors and help developers diagnose and fix bugs in the application.

Don’t forget to establish a well-defined logging structure, restrict the amount of sensitive information stored in the logs, and guarantee that the logs are encrypted and safeguarded against unauthorized access.

By using structured logs, you can smoothly search and analyze the relevant data and make integrations with different tools, facilitating the detection of security incidents and diagnosing problems in the application.

🎥 [Webinar] Are you meeting SLA for your most critical security issues?

Join Mike Khusid, VP of Product at Codacy, in discussing how SLA tracking can help engineering managers prioritize work on security issues and best practices to shift-left the resolution of those issues.

RELATED
BLOG POSTS

Code Quality: Shared Dashboard
Following the release of our new product workflow we continue working towards helping organisations effortlessly standardise code quality. A shared...
Who should care about code coverage
Code coverage tells us what percentage of our code is covered by tests. There are different code coverage types, and a well-tested codebase is usually...
How to tackle technical debt (for teams using Scrum)
Technical debt happens in all software projects, regardless of the programming languages, frameworks, or project methodologies used. It is a common...

Automate code
reviews on your commits and pull request

Group 13