App Development Security Facts
March 19, 2017, Author: Taylor
Secure coding concepts include the following:
Concept | Description |
Error and exception handling | Error and exception handling is a programming language construct designed to handle the occurrence of exceptions. Exceptions are special conditions that change the normal flow of program execution. An exception is handled (resolved) by: Saving the current state of execution in a predefined place. Switching the execution to a specific subroutine known as an exception handler. |
Input validation | Input validation is the process of ensuring that a program operates on clean, correct, and useful data. Input validation: Prevents data corruption or a security vulnerability. Uses routines (also called validation rules or check routines) that check for correctness, meaningfulness, and security of data that are input to the system. |
Be aware of the following:
- Application code is exception-safe if run-time failures within the code will not produce ill effects such as memory leaks, garbled stored data, or invalid output.
- Fuzz testing (also known as fuzzing) is a software testing technique that exposes security problems by providing invalid, unexpected, or random data to the inputs of an application. Fuzzing program types are:
- Mutation-based, which mutate existing data samples to create test data.
- Generation-based, which define new test data based on models of the input.
- A code review is a systematic examination of an application’s source code. It is intended to find and fix overlooked mistakes, improving the overall quality and security of software. A code review is sometimes called a peer review.
- Baselines are of a set of consistent requirements that establish a standard configuration for all systems. With a baseline established, you can more easily identify abnormal activity as well as areas that need improvement.
- Configuration testing is the process of testing an application under development on systems which have various combinations of hardware and software implemented.