Getting to the Source
In my line of work I go to customer sites, scan software, and provide training on using our tools to write secure software. The problem is that while we’re talking about detailed attack categories, we don’t give much detail on how to fix them. There’s usually not enough time to show a developer how to use regular expressions or html encoding to block vulnerabilities. Our academic institutions are not really teaching software security, so developers are on their own to learn how to do this.
We will always face the fight of having informed developers, but we can try to make security easier. One way to do this is making the frameworks we use to develop our applications more secure. The major frameworks are getting better at security, but they are still focused on functionality. They are the ones that have the power to make the web more secure, but there’s no pressure for them to do the work.
I’ve looked around the net and haven’t been able to find secure coding libraries that make security easier to implement. There are some that tackle individual attacks, but none that attempt a comprehensive solution. There will never be a full solution, but we can try to put together some of the pieces.
With that being said, I am considering writing a secure coding library for .NET. My initial thoughts are too rewrite the standard .NET controls to force some general validation and encoding. Fighting XSS will be fruitful, but SQL injection may be tougher. The ideal solution is to use parameterized or store procedures, but a large number of people do not follow this best practice. I will use the OWASP Top 10 2007 as a list of what vulnerabilities to conquer. I’m still struggling with open versus closed source. There are some corporate/government organizations that won’t use open source products, so I may make this closed source but free to download. I’ll continue to think about this. If someone happens to find this post and wants to comment, please do so.