The CTO’s Framework for Delivering Secure Software Applications

by Dragan Ilievski

9 min read · Dec 20, 2020

Delivering secure applications is a must in the competitive market of the 21st century. This framework that aims to provide generic guidance for building safe products can help.

To understand how the private sector cybercrime landscape is evolving and help businesses fight e-crime, EY annually conducts in-depth research into the phenomenon.

This year’s so-called ‘Global Information Security Survey’ is based on the answers of 1,750+ respondents across 25 industries in 60+ countries.

It found that the largest part of the cybercrime burden is borne by businesses—in the case of the UK, private sector enterprises face 78% (~£21 billion) of the total cost.

Many businesses are not capable of maintaining their products and designing security requirements for each aspect, and this issue can be presented in the following diagram:

In other words, companies without dedicated Cyber Security teams are designing and delivering products and matching the basic security criteria (which leaves the product to be vulnerable from multiple aspects), at the same time.

Since cyber-experts are rare and expensive to be hired, there is a trade-off solution: Incorporating a framework for delivering secure software applications that will provide generic guidance into the company culture. 

As a security professional with 10 yrs experience in IT, I have been presenting my own framework to my clients.

They have submitted massive positive feedback that this framework worked for their businesses, and they have successfully delivered safe products.

With this framework, every CTO will be able to:

  • Plan security requirements from all aspects of all projects.
  • Get better estimates of the Return on Investment.
  • Roll-out a precise strategy and roadmap which is reusable in every project and domain.
  • Deliver safe and maintained products while leaving room for improvement.

Note: If you have an existing product(s), you might try to adapt to the framework and eventually be compliant—and see the real value of it. On the other hand, you can start from scratch and make sure that you are setting security requirements first and then evolve on the practical side.

Let’s jump right into it! 

The 12 Aspects of the Framework

Authentication

Authentication is the first thing that you need to think about. You need to define requirements for identifying each entity and use that data in the desired context. To start, please be sure that you:

  • Do not hardcode any credentials in the code.
  • Develop a strong reset password system.
  • Implement a Strong password Policy.
  • Implement an Account Lockout mechanism to prevent brute-force attacks.
  • Don’t disclose too much information in the error message.
  • Store all database credentials securely.
  • Run external applications and middleware with minimal privileges.

Input and Output Handling

After you identify a certain entity, you need to make sure that the form in which you are handling its input or output is expected (which improves your overall security by 50%—it's mostly validation).

  • Conduct Contextual Output Encoding before sending any data to the user.
  • Choose white-listing input/output instead of Black-listing.
  • Use Parameterized SQL Queries (Preventing SQL Injection).
  • Use tokens to prevent Forging of the requests.
  • Set general encoding for your application.
  • Validate uploaded Files (extension, content).
  • Use the “Nosniff” Header for uploaded content.
  • Validate the Source of Input (HTTP Verb).
  • Use the X-Frame-Options Header.
  • Use Secure HTTP Response Headers (CSP, X-XSS-Protection, Public-Key-Pin).

Access Control

If Authentication is identifying the entity, I/O is validating the input/output to be in the expected form; the third thing that needs to happen is Authorization.

This is what you need to do:

  • Apply Access Control Checks Consistently.
  • Apply the principle of Least Privilege.
  • Don’t use Direct Object References for Access Control Checks.
  • Don’t use Invalidated Forwards or Redirects.

Session Management

After our entity is Authenticated (Identified) and Authorized (Allowed to do actions in our application), we would need a box in which we can contain it. We would need to have control over the time and actions that are happening in that isolated box, which can be called a session. 

Here, be sure to:

  • Ensure that session identifiers are sufficiently random.
  • Regenerate session tokens.
  • Implement an idle session timeout.
  • Implement an absolute session timeout.
  • Destroy sessions at any sign of tampering.
  • Invalidate the session after user logout.
  • Use secure Cookie Attributes (HttpOnly & Secure).
  • Set the Cookie domain and path correctly.
  • Set the Cookie expiration time.

Data Protection & Storage

With our previous aspects, we have created the context for our entities. Now the next step is to protect the content in each of the entities—the data itself.

  • System credential storage facilities need to be used to store every sensitive data.
  • No sensitive data should be stored outside of the app container.
  • No sensitive or PII Data needs to be written to application logs.
  • No sensitive data is shared with third-parties unless it’s a necessary part of the architecture.
  • The keyboard cache is disabled on text inputs that processes sensitive data.
  • No sensitive data is exposed via IPC mechanisms.
  • No sensitive data such as passwords is exposed through the UI.
  • Use HTTPS everywhere.
  • Disable HTTP Access for all protected resources.
  • Use the Strict-Transport-Security Header.
  • Store user passwords using a Strong, Iterative & Salted hash.
  • Securely exchange encryption keys.
  • Setup Secure Key Management Process.
  • Turn off weak TLS Configuration on the servers.
  • Use Valid HTTPS Certificates from a reputable CA.
  • Disable Data Caching using Cache Control Headers.
  • Limit the use and storage of sensitive data.

Configuration

Configuration is always dependent on the use case (the functional aspects as well), so here you should define the following:

  • Define profiles for “Development”, “Testing”, “Pre-Production”, “Production”.

Error Handling & Logging

Logging and error handling is a crucial part of your software. It’s really important to keep relevant logs that can help in recovering from incidents or detecting the issue that is happening. Please make sure to log in:

  • all authentication activities
  • all privilege changes
  • administrative activities
  • access to sensitive data

Don't:

  • log inappropriate data (PII or confidential)
  • reveal generic error messages
  • allow unhandled exceptions

Code Quality & Build Process

You should also roll-out a code quality and build a process to make sure that your application is developed properly and released with proper configuration. Every misconfiguration helps attackers bypass your application and exploit your components. Consider hiring QA engineers for this process.

Please make sure to do the following:

  • The product is signed and provisioned with a valid certificate, of which the private key is properly protected.
  • The app has been built in release mode, with settings that are appropriate for a release build.
  • Debugging symbols have been removed from native binaries.
  • Debugging code and developer assistance code have been removed.
  • All used libraries and frameworks are identified and checked for known vulnerabilities.
  • The app catches and handles possible exceptions.
  • Error handling logic in security controls denies access by default.
  • In unmanaged code, memory is allocated, freed and used securely.
  • Security features by the toolchain are activated by default.

Platform

The platform should take care of providing a generic layer of abstraction in which you can set certain validations on a high-level. This is usually a good place to define with consulting software architects or security architects.

  • The app requests the minimum set of permissions necessary.
  • All inputs from external sources and the user are validated and, if necessary, sanitized.
  • The app does not export sensitive functionality via custom URL schemes.
  • Uploading & downloading resources is validated by extension.

Network

On the network level, there are certain things that can be done to protect you and make the transit of data obfuscated and optimized.

  • Data needs to be encrypted on the network using TLS.
  • The TLS setting needs to follow the current best practices.
  • The app needs to verify the X.509 certificate on the remote endpoint.
  • Network compression can be implemented if possible.

From a cryptography aspect, you need to set up good obfuscation approaches so you can prevent decoding sensitive data. If someone steals the information, they would have the information in an obfuscated form, which doesn’t mean anything to them without the key (and that’s how you will protect yourself in-depth).

Cryptography

The app:

  • does not rely on symmetric cryptography with hardcoded keys
  • uses proven implementations of cryptographic primitives
  • does not use deprecated protocols for security purposes
  • does not re-use the same cryptographic key for multiple purposes
  • All random values are generated using a sufficiently secure random number generator.

Architecture

The highest layer needs to be properly set up, so the project is scalable and allows optimized performance while implementing security controls.

  • All app components are identified and known to be needed.
  • Security controls are enforced on the respective remote endpoints.
  • A high-level architecture has been defined and documented.
  • Data considered sensitive in the context of the app is clearly identified and documented.
  • The app should comply with privacy laws and regulations.

Tooling & Technologies

Certain tools and third-party solutions can help in better management, measurement and propagating the framework requirements to the teams:

Visual Representation & Measuring of Progress

  • https://app.diagrams.net/: Free Web application that allows you to create diagrams.
  • Azure DevOps or Jira: Bug Management systems that can reflect the framework as tasks propagated to the teams.

Code Quality

  • SonarQube: Tool that can be integrated on code-level that will validate certain rules.
  • Checkmarx: Static Code Analysis tool.

Summary

Cyber Security professionals have a deeper understanding of every single aspect that we mentioned previously in our text.

As such, they can be a crucial element of any company. The disappointing fact is they're scarce and expensive.

With that being said, following a framework is your second best option.

Having the previously mentioned framework in place is a good option. It will provide general guidance and ensure your company will implement security controls in its culture and minimize the risk from outside and inside attacks.

Thank you for your time. I hope you found this article quite useful.