Published Sep 20, 2019
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
The need for security in all things technology is well-known and paramount. That includes the demand for the highest security standards in software development as well. For companies and developers, there is good news, as there are numerous security standards out there providing just those kind of guidelines and safeguards.
If you find yourself wondering if the need for in-depth security measures and strict standards are necessary, consider this…
“…63 percent of internally developed applications are out of compliance with OWASP Top 10 standards when initially assessed for security.”
That translates into a potentially great number of vulnerabilities for many different software packages and programs.
This is no small issue and the consequences of not having software assurances can be expensive. The reputations and possible livelihoods of businesses, developers, consumers, and many others can be hurt as a result of vulnerable software. It is one of the primary reasons why companies value and seek software providers that afford them assurance.
Let’s have a look at some of the most important security standards for software development, beginning with the most critical:
Founded in 1901, today the NIST (National Institute of Standards and Technology) patrols the standards that impact software development. There is a great deal of software out there, produced by many developers and companies. This equates to the need for a common language and definition structure. Much like doctors and lawyers have a verbiage unique to their fields, so do people like software developers and coders. The NIST has been establishing language and definition frameworks for a long time, today that applies to technology too.
Maintaining and establishing security protocols such as the AES (Advanced Encryption Standard) is only an example of the commitment to security shown by the NIST. Software itself and the lives of developers would be far different today without the structure and security afforded by the NIST.
Learn more about NIST in our previous post: NIST – SAMATE
To learn whether your application is susceptible to the vulnerabilities in the NIST database, try out Kiuwan Insights for free today.
Providing structure for standards and best practices is important in any industry – it is vital in software development. OWASP (Open Web Application Security Project) delivers those essential guidelines. This non-profit, vendor neutral organization is aimed at building a non-biased software security information source. Their mission statement states that their goal is to enable and empower “individuals and organizations…to make informed decisions.”
Have a look at our OWASP Top 10 blog post series. We have extensively covered the different types of vulnerabilities you can encounter and how you can discover them:
- C# OWASP Top 10: how to discover vulnerabilities in your C# applications
- OWASP Top 10 2017 – A1 Injection
- OWASP Top 10 2017 – A2 Broken Authentication and Session Management
- OWASP Top 10 2017 – A3 Sensitive Data Exposure
- OWASP Top 10 2017 – A4 XML External Entities (XXE)
- OWASP Top 10 2017 – A5 Broken Access Control
- OWASP Top 10 2017 – A6 Security Misconfiguration
- OWASP Top 10 2017 – A7 Cross-site Scripting (XSS)
- OWASP Top 10 2017 – A8 Insecure Deserialization
- OWASP Top 10 2017 – A9 Using Components with Known Vulnerabilities
- OWASP Top 10 2017 – A10 Insufficient Logging & Monitoring
CWE (Common Weakness Enumeration) is a little like America’s Most Wanted, only these threats are about security weaknesses. CWE defines a common language in defining the threats and compiles a list of frequent security flaws in software.
This list can act as a gauge for software security tools or even as a type of litmus test. It is also used as a baseline to identify, mitigate and prevent software weaknesses. Staying ahead of threats, eliminating weaknesses and identifying these issues ahead of time is of the essence. Once software has been compromised, it is too late. Security standards are necessary to stop the attack before it happens.
Find out more information about CWE in our previous blog post: CWE Common Weakness Enumeration
E-Commerce is becoming bigger and bigger, and by 2040, around 95% of all purchases are expected to be via ecommerce. To avoid credit card fraud, it is crucial to have a series of rules and regulations to make sure businesses keep payment information secure. PCI DSS (Payment Card Industry Data Security Standard) is a set of rules setting the standards for compliance for all companies that access, store, or transit card payments and associated data.
Read more about it in our blog post: PCI DSS: All you need to know about it
It’s safe to say that nobody would like to get into a moving car which could fail at any minute. And many embedded software that run the cars we drive every day are written in the C programming language. That’s where MISRA-C comes into play. This is a set of software development guidelines created by MISRA (Motor Industry Software Reliability Association) for the C programming language. It started as a set of guidelines for code safety, security, portability, and reliability of embedded systems in the automotive industry. Now it has become also a standard for other sectors: aerospace, telecom, and defense, to name a few.
Take a look at our blog post about MISRA-C, if you want to know more information: MISRA: Software Development Guidelines For The C Programming Language
HIPAA (Health Insurance Portability and Accountability Act) is a US law and it is designed to protect private healthcare information. It is made up of 5 rules:
- Privacy Rule
- Transactions and Code Sets Rule
- Security Rule
- Unique Identifiers Rule
- Enforcement Rule.
When it comes to software development, the Security Rule (Security Standards for the Protection of Electronic Protected Health Information) is of utmost importance. This requires the placement of safeguards to ensure that Electronic Protected Health Information (ePHI) is securely maintained, stored, transmitted and received.
The Web Application Security Consortium (WASC) describes itself as “a non-profit made up an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed-upon best-practice security standards for the World Wide Web”. Their main focus is to research, discuss and publish articles about web application security issues. They aim to educate software professionals on how to countermeasure specific threats.
WASC also maintains a Web Hacking Incident Database (WHID), where security-related incidents are tracked over time. The purpose of this tool is to raise awareness of web application security problem and to provide information for statistical analysis of these types of security incidents.
SAP applications are very commonly used in companies and organizations worldwide. Those types of applications process and manage the most critical and confidential business information and processes. For this reason, this information must be protected, as the lifeline of most companies depends on it.
BIZEC, a non-profit initiative with a focus on security defects in SAP business applications. Security threats can be both functional and non-functional, BIZEC enables organizations to understand the impact of application security vulnerabilities and prioritize their mitigation accordingly.
SEI CERT C
Likewise to WASC, the CERT C Coding standard provides rules and recommendations for secure coding in the C programming language. They were created by the Carnegie Mellon University’s Software Engineering Institute. The goal of these rules and recommendations is to develop safe, reliable, and secure systems. Violation of the rules may cause defects that negatively affect the security and reliability of a system. Recommendations, however, are suggestions for improving code quality.
These coding standards are being widely adopted by the industry. Cisco Systems Inc. and Oracle are amongst those who have integrated those standards into their own programming standards.
Read more about it here in our blog post: CERT Compliance: Provide Security for your C Applications
SEI CERT J
The SEI CERT Oracle Coding Standard for Java was developed as a standard for the Java programming language. Just like CERT C, it was developed by Carnegie Mellon and is becoming widely popular as a standard for software development in Java.
Make your software compliant
As mentioned before, weaknesses in security do not only damage your software but also your wallet. Security standards exist and should be used accordingly to avoid attacks that threaten the livelihood of your company.
Are you aware of any security vulnerabilities present in your code?