October 21, 2024

5 Best Practices for Writing Secure Code Identified by SAST

Static Application Security Testing (SAST) tools are essential in identifying vulnerabilities by scanning source code for security flaws before execution. By adopting these five best practices for writing secure code, you can avoid common vulnerabilities and improve the overall security of your applications.

Overview of Five Best Practices for Writing Secure Code:

Best Practice	To Avoid
Use Parameterized Queries	SQL Injection
Sanitize User Inputs	Cross-Site Scripting (XSS)
Implement “Deny by Default”	Unauthorized Access
Secure Cookies	Cross-Site Request Forgery (CSRF)
Avoid Hardcoded Secrets	Exposure of Sensitive Information

Let’s explore each of these practices in more detail:

1. Use Parameterized Queries to Prevent SQL Injection

SQL Injection occurs when untrusted user inputs are included in SQL queries, allowing attackers to manipulate the database. However, you can avoid this risk by using parameterized queries, which ensure that user inputs are treated as data rather than executable code.

Insecure Code Example:

SELECT * FROM users WHERE username = ‘” + user + “‘ AND password = ‘” + password + “‘;

Secure Code Using Parameterized Queries:

SELECT * FROM users WHERE username = ? AND password = ?;

Why It Works: By using parameterized queries, SAST tools prevent SQL Injection by ensuring user inputs cannot modify the query structure.

2. Sanitize User Inputs to Prevent XSS

Cross-Site Scripting (XSS) happens when attackers inject malicious scripts into web pages, enabling unauthorized actions or data theft. To avoid this, sanitize or escape user inputs before displaying them on a web page.

Insecure Code Example:

echo “<p>” . $_GET[‘username’] . “</p>”;

Secure Code Using HTML Encoding

echo “<p>” . htmlspecialchars($_GET[‘username’], ENT_QUOTES, ‘UTF-8’) . “</p>”;

Why It Works: By encoding special characters, the script is displayed as plain text, preventing XSS attacks.

3. Implement Access Control Using “Deny by Default”

Unauthorized access is a major risk when proper access controls are not enforced. To ensure only authorized users can access sensitive resources, follow the “deny by default” principle, where access is denied unless explicitly allowed.

Insecure Code Example:

if (user_role == ‘admin’) { /* Admin access */ } else { /* Open access to everyone */ }

Secure Code Using “Deny by Default”:

if (user_role != ‘admin’) { die(“Access denied”); } else { /* Admin access */ }

Why It Works: This method ensures that access is restricted unless specifically granted, reducing the chances of unauthorized access.

4. Secure Cookies to Prevent CSRF

Cross-Site Request Forgery (CSRF) occurs when a malicious site tricks users into submitting unwanted actions on a trusted website. To mitigate this, secure your cookies with the HttpOnly, SameSite, and Secure attributes.

Insecure Cookie Setup:

setcookie(“session_id”, $session_id);

Secure Cookie Setup:

setcookie(“session_id”, $session_id, [‘httponly’ => true, ‘samesite’ => ‘Strict’, ‘secure’ => true]);

Why It Works: By securing cookies, you prevent attacks such as session hijacking or CSRF from compromising the user’s session.

5. Avoid Hardcoded Secrets

Hardcoding sensitive information like API keys or passwords into your source code exposes them to attackers, making your application vulnerable. However, you can avoid this by using environment variables or secrets management tools to securely store sensitive data.

Let’s take you through an example of insecure code identified by SAST:

Insecure Code Example:

$api_key = “mysecretapikey”;

Secure Code Using Environment Variables:

$api_key = getenv(‘API_KEY’);

Using environment variables keeps sensitive data out of your source code, reducing the risk of accidental exposure.

Application Security Services by TRIOTECH SYSTEMS: Stay Secure!

At TRIOTECH SYSTEMS, we are committed to delivering top-tier application security solutions tailored to meet your unique business needs. Our experts specialize in ensuring the safety and integrity of your applications.

Explore Our Application Security Services and Contact us for a free quote!

Conclusion

By following these best practices—using parameterized queries, sanitizing inputs, implementing robust access control, securing cookies, and managing secrets effectively—you can significantly enhance the security of your code. SAST tools play a vital role in identifying vulnerabilities early, helping you address security flaws before they become critical.