How clean code can help developers prevent vulnerabilities [Q&A]
Every year, thousands of code vulnerabilities are discovered, patched and publicly disclosed to improve security for current and potential users.
But many of these vulnerabilities share common features, so what can developers do to write better code that prevents vulnerabilities from entering their apps and services in the first place? We talked to Johannes Dahse, head of R&D at clean code specialist SonarSource, to find out.
BN: What are some of the recent security vulnerabilities discovered in widely used applications?
JD: Vulnerabilities are discovered daily, and if exploited, can negatively impact the performance and security of businesses. The US government's National Vulnerability Database (NVD), which is fed by the Common Vulnerabilities and Exposures (CVE), currently lists over 176,000 vulnerabilities. Ethical researchers play an important role in not only discovering code vulnerabilities but also looking at real-world cases, new techniques and enhancements to identify and prevent such attacks.
Some security vulnerabilities discovered in popular applications are:
SmartStoreNET: a leading open-source e-commerce platform for .NET that provides advanced features like CRM tools, a blog, and a forum. A SmartStoreNET instance stores extremely sensitive data such as credit cards and financial info, and personally identifiable information. Two Cross-Site Scripting bugs, CVE-2021-32607 and CVE-2021-32608, were discovered and impacted SmartStoreNET 4.1.1. These vulnerabilities allow attackers to gain control of the server and perform actions with the victim’s set of privileges, potentially compromising e-commerce stores, interception of money transfers, and personal information. The persistent nature of these bugs also make it easier for the attacker to enforce malicious activity on the victim's interactions.
BN: What commonalities are found in these code vulnerabilities?
JD: There are many different types of exploitable security issues such as SQL injection, XSS, path injection, code injection, and more. In fact, even complex, hardened code bases can have critical faults. One thing all exploited vulnerabilities have in common is that they are in the source code of the business application. However, the good news is that many of these security flaws can be discovered and fixed early in the development process.
BN: How can clean code help development teams identify these vulnerabilities -- and ideally prevent them?
JD: We all know the crucial role developers play in delivering new and improved features to meet the demands of businesses today. Developers strive to do a good job of delivering functionally accurate and bug-free code. Over the years, they have naturally embraced 'quality' as part of their coding workflow. Security should not be any different. Developers are best positioned to own the security aspects of the code as well because they own the code.
If developers are equipped with the right tooling as part of their existing DevOps workflow and the appropriate education to address issues, then the feedback loop to find and fix issues is inherently shortened. Adopting clean code best practices at the right time and place in the development workflow enables teams to improve the quality and security of their codebase. This practice naturally becomes a part of their daily routine and reduces the chance of recurring or exposed vulnerabilities.
BN: Why is the concept of 'clean as you code' important to software security?
JD: Security problems can arise in code that has not been properly maintained, is unreliable, or is of lower quality. The 'clean as you code' method addresses security at the core. The developer who has the complete context can fix security issues in the moment, as opposed to weeks or months later or even worse, when bad actors find them. Instituting a quality gate keeps code with critical or high severity issues from being released to production.
The benefit of this approach is twofold. The overall workload on security teams is greatly reduced as fewer issues reach audit. Developers are able to address issues as part of their workflow when the code is still fresh. The outcome is a simplified and effective method for managing code security.