The document discusses the critical importance of secure coding practices in software development, highlighting various vulnerabilities such as SQL injection, cross-site scripting, and broken access control. It emphasizes the need for developers to utilize secure coding guidelines, adopt automated security measures, and maintain a culture of security awareness within their teams. Furthermore, it illustrates that proactive security measures can significantly reduce the risk of security incidents and the cost of fixing vulnerabilities post-release.

1. Jaap Karan Singh
Co-Founder & Chief Singh @ Secure Code Warrior
How to code securely:
A crash course for non-coders

2. Everything is powered by
technology

3. TECHNOLOGY LETS YOU AVOID NAGGING
PHONE CALLS FROM YOUR PARTNER...
Source: https://www.pinterest.com/pin/678214025109991726/

4. We are not a bank, we
are a technology
company with a
banking license
- EVERY BANK EVER

5. What's
behind all this
technology?
111 BN
NEW LINES OF
CODE EVERY YEAR
22 M
DEVELOPERS

6. Cyber security is
now mainstream
No longer guys with hoodies lurking in the shadows

7. Consumer trust
is everything
DIGITAL BANKING AND CYBER SECURITY

8. - INFORMATION IS BEAUTIFUL
Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

9. 90%
security incidents result from
defects in the design or code
of software
- DEPARTMENT OF HOMELAND SECURITY
Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf

10. Are developers unaware
or is security really hard?!
IT'S THE LATTER.

11. Let's look at some code
GET /transfer-money?from,to,amount
database.query => "UPDATE accounts SET balance increment(amount) WHERE
account_number = to"
database.query => "UPDATE accounts SET balance decrement(amount) WHERE
account_number = to"
print "Debit: from -amount, Credit: to +amount"

12. Does this code have
any vulnerabilities?
YES. SEVERAL ACTUALLY!

13. SQL
Injection
WHAT IS IT?
User input used in a
database query without
validation
WHY IS IT BAD?
Execute additional
transactions and actions
Exfilterate data
Connect to other systems on
the network

14. DATA BREACH
77 MILLION RECORDS STOLEN
Sony Hack
"From a single injection, we accessed
EVERYTHING". Passwords, home
addresses and other personal
information was stolen.
Source: https://www.bbc.co.uk/news/business-13636704

15. Cross-site
Request
Forgery
WHAT IS IT?
Replay actions on behalf of a
logged in user
WHY IS IT BAD?
Unauthorised
Attack typically hidden so
user does not realise

16. Good joke, wasn't it?
While you were reading this joke on
your favourite pass time website, I
processed 5 transactions
transferring over 1 billion dollars in
the background!Source: https://www.pinterest.com/pin/777011741929294349/

17. Cross-site
Scripting
(XSS)
WHAT IS IT?
Attack the users of the
application by executing
malicious code on their
browser
WHY IS IT BAD?
Execute unauthorised
transactions and actions
without the user realising
Looks like legitimate traffic
to the website

18. Samy the
worm
SPREAD LIKE WILDFIRE
Fastest spreading virus of all time - 1
million users affected in less than 24
hours
UNPRECEDENTED IMPACT
MySpace had to take the site offline
to remove the worm
Source: https://www.vice.com/en_us/article/wnjwb4/the-myspace-
worm-that-changed-the-internet-forever

19. But wait,
there's
more!
BROKEN ACCESS CONTROL
We never checked if the account belonged
to the user
BUSINESS LOGIC PROBLEMS
Does your account have enough balance?
SENSITIVE DATA EXPOSED
Data between client and server are sent
over plaintext and cached by default
INSUFFICIENT LOGGING &
MONITORING
If something were to go wrong, how would
we find out more details?

20. Let's look
at the
numbers
4
LINES OF CODE
7
VULNERABILITIES
We could have kept going, but you get the point

21. Let's fix the
vulnerabilities and
secure our code

22. SQL Injection
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE
account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE
account_number = %2"
GET /transfer-money?from,to,amount
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: from -amount, Credit: to +amount"

23. Cross-site request forgery
configuration
protect_against_csrf
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE
account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE
account_number = %2"
GET /transfer-money?from,to,amount
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: from -amount, Credit: to +amount"

24. Broken access control
configuration
protect_against_csrf
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2"
getAccount => "SELECT * from accounts WHERE account_number = %1"
POST /transfer-money?from,to,amount
account = database.query => prepared_statements.getAccount, from
if account.user_id != logged_in_user
throw error "Access denied!"
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: from -amount, Credit: to +amount"

25. Finally looks like this
configuration
log_all_requests
protect_against_csrf
hide_technology_info
do_not_cache_requests
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2"
getAccount => "SELECT * from accounts WHERE account_number = %1"
configuration
logging
sensitive_info => from, to
POST /transfer-money?from,to,amount
account = database.query => prepared_statements.getAccount, from
if account.user_id != logged_in_user
throw error "Access denied!"
if account.balance < amount
throw error "Not enough balance!"
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount"

26. Side by side comparison
configuration
log_all_requests
protect_against_csrf
hide_technology_info
do_not_cache_requests
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE
account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE
account_number = %2"
getAccount => "SELECT * from accounts WHERE account_number = %1"
configuration
logging
sensitive_info => from, to
POST /transfer-money?from,to,amount
account = database.query => prepared_statements.getAccount, from
if account.user_id != logged_in_user
throw error "Access denied!"
if account.balance < amount
throw error "Not enough balance!"
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: html_escape => from, html_escape => -amount, Credit:
html_escape => to, html_escape => +amount"
GET /transfer-money?from,to,amount
database.query => "UPDATE accounts SET balance increment(amount)
WHERE account_number = to"
database.query => "UPDATE accounts SET balance decrement(amount)
WHERE account_number = to"
print "Debit: from -amount, Credit: to +amount"

27. 3.5x
more code needed
to make it secure

28. To do things right,
you would need
superheroes
Normal coders don't stand a chance!

29. Developers
don't think
about security
all day
We need to make
security easy and
accessible
FUN FACT

30. How do we scale
secure coding?

31. Stand on the
shoulder of
giants
DON'T RE-INVENT THE WHEEL
Avoid implementing security features
yourself, eg. encryption
RELY ON BATTLE-TESTED
ENTERPRISE LIBRARIES
Vetted by security experts, active
developer community, security mindset

32. Stand on the
shoulder of
giants
USE SECURE DEFAULTS
Most enterprise grade libraries come with
a security guide
Read it and create an internal best
practices guide or base library.
Do it once, reap the benefits
over and over again
PATCH AND UPDATE
DEPENDENCIES REGULARLY
Hackers can fingerprint technology stack
Exploit based on known vulnerabilities

33. - NO ONE EVER
"I LOVE UPDATE SCREENS"
Source: fakeupdate.net

34. 60-80%
of a commercial codebase is
typically open source libraries
60% VULNERABLE
of those scanned
EQUIFAX CREDIT
BUREAU
public example of things gone
wrong
Why is
patching
important?

35. Security
automation
CATCH BUGS EARLY
Security bugs are inevitable, provide early feedback
loops through automated testing
REDUCE HUMAN EFFORT
AND SAVE $$$
Low hanging fruit should be caught by machines,
not humans
EMED SECURITY INTO
DEVELOPMENT WORKFLOW
AUTOMATE AND GET OUT
OF THE WAY
Security tools can sometimes be slow. Anything
embedded into the workflow needs to be fast and
pain-free

36. Embed security automation
into the workflow
CODE BUILD TEST DEPLOY
IDE Plugins
Security Unit Tests
Static Source Code
Analysis (SAST)
Software Composition
Analysis (SCA)
Dynamic Application
Security Testing (DAST)
Container Scanning
Runtime Application
Self-Protection (RASP)
Bug Bounties

37. Architecture and design
SOLID FOUNDATIONS TO SET YOURSELF
UP FOR SECURITY SUCCESS

38. 30x
more costly to fix defects
after release compared to
design phase
30x
Source: ftp://ftp.software.ibm.com/software/rational/info/do-more/RAW14109USEN.pdf

39. INFRASTRUCTURE DESIGN
Design to minimise attack surface and reduce risk
posture of the application
THREAT MODELLING
Understand the risk level of your application, data
it collects and processes and any regulatory
requirements
SECURITY AUTOMATION
Automate from the start, easier than climbing a
steep hill all at once
Architecture
and design

40. Security awareness
and culture

41. Am I rewarded or
punished for
reporting security
issues?
AVOID A TOXIC WORK
ENVIRONMENT

42. Developer
Training
THREAT LANDSCAPE AND
RESPONSIBLITY
Cost to the business of a security incident, impact
of vulnerabilties and duty to protect customer and
business data
FOCUS ON DEFENSIVE SKILLS
Proactive controls, internal secure coding
guidelines
Don't turn developers into hackers - that's not
their job
SOFTWARE SECURITY
FUNDAMENTALS TRAINING
High level overview for support staff: Business
Analysts, Project Managers, Product Managers etc

43. BUILD ON THE
SHOULDER OF
GIANTS
THINK ABOUT SECURITY
DURING ARCHITECTURE AND
DESIGN PHASE
HOW DO YOU
CODE SECURELY?
EMBED AND AUTOMATE
SECURITY IN THE
DEVELOPMENT WORKFLOW
BUILD A SECURITY
CONSCIOUS CULTURE IN
YOUR BUSINESS
PATCH,
PATCH
AND
PATCH
AGAIN