Optimization of Secure Coding Practices in SDLC as Part of Cybersecurity Framework

Source:
By:Author(s)

DOI: https://doi.org/10.30564/jcsr.v4i2.4048

Abstract: Cybersecurity is a global goal that is central to national security planning in many countries. One of the most active research fields is design of practices for the development of so-called highly secure software as a kind of protection and reduction of the risks from cyber threats. The use of a secure software product in a real environment enables the reduction of the vulnerability of the system as a whole. It would be logical to find the most optimal solution for the integration of secure coding in the classic SDLC (software development life cycle). This paper aims to suggest practices and tips that should be followed for secure coding, in order to avoid cost and time overruns because of untimely identification of security issues. It presents the implementation of secure coding practices in software development, and showcases several real-world scenarios from different phases of the SDLC, as well as mitigation strategies. The paper covers techniques for SQL injection mitigation, authentication management for staging environments, and access control verification using JSON Web Tokens. References:

[1] ISO/IEC/IEEE International Standard, 2008. Systems and software engineering -- Software life cycle processes. IEEE STD 12207-2008. pp. 1-138. DOI: https://doi.org/10.1109/IEEESTD.2008.4475826 [2] Vale, T., Crnkovic, I., De Almeida, E.S., et al., 2016. Twenty-eight years of component-based software engineering. Journal of Systems and Software. 111, 128-148. [3] Gorski, P.L., Acar, Y., Lo Iacono, L., et al., 2020. Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs. InProceedings of the 2020 CHI Conference on Human Factors in Computing Systems. pp. 1-13. [4] CVE Details, Vulnerabilities By Year. Available from: https://www.cvedetails.com/browse-by-date.php [5] Shirey, R., 2007. Internet Security Glossary, Version 2. DOI: https://doi.org/10.17487/RFC4949 [6] Baldassarre, M.T., Santa Barletta, V., Caivano, D., et al., 2020. Integrating security and privacy in software development. Software Quality Journal. 28(3), 987- 1018. [7] Microsoft SDL Practices. Available from: https://www.microsoft.com/en-us/securityengineering/sdl/practices [8] OWASP Risk Rating Methodology. Available from: https://owasp.org/www-community/ [9] Alwan, Z.S., Younis, M.F., 2017. Detection and prevention of SQL injection attack: A survey. International Journal of Computer Science and Mobile Computing. 6(8), 5-17. [10] Sinha, S., 2019. Finding Command Injection Vulnerabilities. Bug Bounty Hunting for Web Security 2019. Apress, Berkeley, CA. pp. 147-165. [11] Nadar, V.M., Chatterjee, M., Jacob, L., 2018. A Defensive Approach for CSRF and Broken Authentication and Session Management Attack. InAmbient Communications and Computer Systems. Springer, Singapore. pp. 577-588. [12] Petracca, G., Capobianco, F., Skalka, C., et al., 2017. On risk in access control enforcement. InProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. pp. 31-42. [13] Tasevski, I., Jakimoski, K., 2020. Overview of SQL Injection Defense Mechanisms. In2020 28th Telecommunications Forum (TELFOR). IEEE. pp. 1-4. [14] Budiman, E., Jamil, M., Hairah, U., et al., 2017. Eloquent object relational mapping models for biodiversity information system. In 2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT). IEEE. pp. 1-5. [15] Sinha, S., 2019. Database Migration and Eloquent. Beginning Laravel. pp. 113-166. [16] Apress, B., Stauffer, C.A., Laravel, M., 2019. Up & running: A framework for building modern php apps. O' Reilly Media.