If you want to take something down, go for the heart. Cybercriminals go for weaknesses in the code which are the heart of a web application. If the code has any vulnerabilities, the entire application could be compromised. Cybercriminals will exploit any weaknesses in the code and will use these weaknesses to bring down an application.
In December of 2020 it was discovered that several parts of the United States Federal Government were penetrated by a group of cybercriminals empowered by a foreign government. This lead to one of the biggest data breaches ever suffered by the United States. Within days of its discovery at least 200 organizations around the world reported that they were affected, and the total scope of the breach is still unknown. This attack has been dubbed one of the worst cyber-espionage incidents ever suffered by the United States. Due to the sensitivity of the discoverable data and the duration of the attack which is estimated at 8-9 months many professionals state that we may never know the full extent of the hack.
Vulnerabilities in the heart of the code in SolarWinds’s Orion software, which is widely used in government and industry, was the main inflitration point. Flaws in Microsoft and VMWare products associated with the Orion software allowed the attackers to access emails and other documents.
The attackers slipped into systems when updates to the Orion software, which monitors important computer networks, were made. The malware gave the hackers complete access to federal data so they could steal information. Microsoft revealed a week after the attacks were discovered that the hackers had infiltrated over 40 government agencies.
By exploiting weaknesses in the code in multiple systems these hackers caused measurable damage to the functioning of the United States Federal government. Damage that could have been prevented through secure coding web application procedures.
Simply put, secure coding is writing software without vulnerabilities. Many applications require various types of programing languages in order to operate at an efficient speed and perform the tasks they were designed for. With each application having their own coding language, it is essential that there are basic standards put into place to ensure that they interface securely between each other and with the end user. According to an article by Global Learning Systems, the best-known secure coding standard is OWASP which stands for Open Web Applications Security Project. It is an online community of cybersecurity professionals trained on web application security. Secure coding is a weapon against cybercriminals.
Secure coding encompasses everything from encryption files to accessing an application’s deepest memory. Secure coding includes several standards:
When new software is designed, it is coded according to these standards which will help prevent vulnerabilities in the application’s code. Secure coding prevents vulnerabilities that allow cybercriminals to infiltrate software. It is important to understand how secure coding works and why it is important.
Security is often one of the last things considered when applications are being designed. Somewhere between quality assurance and the launch someone says, “Hey, is the data protected?”
This inevitably leads to breaches. What happens if it’s discovered that there’s vulnerable code at this point? Do the time and resources exist to fix it when a project is ready to be monetized?
At Mile2, we suggest that secure coding should be a consideration in each step of the web application design process. Our C)SWAE course is designed to help developers consider secure coding each and every step of the build.
Many companies and government agencies are running on computer systems written in antiquated languages. In 2020 we saw the struggles of state unemployment systems written in old languages that were difficult to update. These organizations struggled, some for weeks, to align their systems to communicate with federal systems efficiently while keeping their users updated as well.
Older systems written in older, unsecure code, need to be replaced with secure coding at the forefront of the design. A strong replacement plan should be drafted that includes the standards that will meet the needs of the organization now and into the forseeable future.
Mile2’s C)SLO (Certified Security Leadership Officer) and C)CSA (Certified Cybersecurity Analyst) teach students how to analyze an INFOSEC system and put plans in place to secure the coding vulnerabilities in an organization as well as other penetration points.