Secure coding
Secure coding rules and best practices are guidelines. They require the right secure coding tools to make them happen, and also the right approaches to make them more effective and efficient.
Secure coding awareness training
Case studies or scenario-based vulnerable source code examples will have better training effects than simply secure coding rules.
Tool evaluation
When the importance and the challenge of secure coding becomes apparent, people will look for some tools to make the secure coding easier. Some evaluation considerations that have proven useful to others:
| Considerations | Description |
|---|---|
| Usability | The target users of the code scanning tools are developers. The usability includes the capability to scan parts of the source code, differential scans, scanning reports, tracing back to original source code, and so on. |
| Budget | If it's an IDE plugin commercial tool, we need to consider how many concurrent users' licenses it will need. |
| Programming languages support | Most tools support C/C++ and Java, but do not support script languages, such as Python, JavaScript, or PHP. Do a survey of the programming languages used by in-house projects and prioritise the programming languages that are going to be supported. |
| Detection rate and false positive rates |
It is common for any scanning tools to have false positive rates, depending on the scanning engine and rules. A high false positive is not a bad thing, and it can also mean the scanner takes a more conservative approach. Find the tool that best fits the projects instead of the most well-known. To evaluate the detection rate, use known vulnerable projects. |
| Scanning rules update | It is important that the tool is constantly updated with rules and scanners. |
After using the code scanning tools for a while, a security team may help to optimise the tools, processes, or rules based on user feedback.
Secure compiling
Memory corruption and buffer overflow may result in exploit code injection attacks. For the C/C++ programming language, these can be protected by compiler options:
To verify whether the application or the environment has been configured with secure options, these can be useful: