Why software security is a skill every programmer should have

0

As a programmer or developer, the importance of building secure applications cannot be overstated.

Software security deals with managing malicious attacks by identifying potential software vulnerabilities and taking the necessary precautions to guard against them.

Software can never be 100% secure because a developer can ignore a bug, create new bugs to try to fix existing cases, or create new vulnerabilities through updates.

However, there are two key practices that all software developers can use to ensure they are building secure software: write secure code in the first place, and test your code effectively.


How to write secure code

Writing secure code comes down to one thing: error handling. If you can anticipate every potential value a user might feed into your application and create a response in your program for that value, then you are writing secure code.

It’s a lot easier than you think because all good developers know almost everything about the apps they’re developing. Therefore, you must know every value that your application requires to perform a task (the trusted values) and understand that any other possible value that exists is an untrusted value.

Write secure code

Suppose you want to create a program that accepts only two integer values ​​from a user and performs an addition operation on them. With this single sentence, like a good developer, you now know everything about your application. You know all the values ​​this program will accept (integer values) and you know the task this program will perform (an addition operation).

USE VIDEO OF THE DAY

Creating the program in the Java example


import java.util.Scanner;
public class Main {
//The main function that executes the program and collects the two values
public static void main(String[] args) {
System.out.println("Please enter your two integer values: ");
int value1;
int value2;
Scanner input = new Scanner(System.in);
value1 = input.nextInt();
value2 = input.nextInt();
addition(value1, value2);
input.close();
}
//the function that collects the two values and displays their sum
private static void addition(int value1, int value2) {
int sum;
sum = value1 + value2;
System.out.println("The sum of the two integer values you entered: "+ sum);
}
}


The above code produces an application that precisely matches the requirements. When run, it will produce the following line in the console:


Please enter your two integer values:

The application will then remain paused until the user enters two integer values ​​into the console (i.e. typing the first value, pressing the enter key and repeating).

If the user enters the values 5 and 4 in the console, the program will produce the following output:


The sum of the two integer values you entered: 9

It’s good; the program does exactly what it should do. However, if a malicious user arrives and enters a non-integer value, such as “g”, into your application, there will be problems. This is because no code in the application protects against untrusted values.

At this point, your app will crash, creating a potential gateway to your app for the hacker to know exactly what to do next.

Securing Your Example Program


import java.util.InputMismatchException;
import java.util.Scanner;
public class Main {
//The main function that executes the program and collects the two values
public static void main(String[] args) {
try {
System.out.println("Please enter your two integer values: ");
int value1;
int value2;
//using the scanner class to read each input from the user,
//and assign it to is respective variable (throws an exception if the values are not integers)
Scanner input = new Scanner(System.in);
value1 = input.nextInt();
value2 = input.nextInt();
//calls the addition function and passes the two values to it
addition(value1, value2);
//closes the input stream after it has come to the end of its use
input.close();
//handle all the errors thrown in the try block
}catch(InputMismatchException e){
System.out.println("Please enter a valid integer value.");
}catch(Exception e) {
System.out.println(e.getMessage());
}
}
//the function that collects the two values and displays their sum
private static void addition(int value1, int value2) {
int sum;
sum = value1 + value2;
System.out.println("The sum of the two integer values you entered: "+ sum);
}
}


The code above is safe because it performs exception handling. Therefore, if you enter a non-integer value, the program will exit successfully producing the following line of code:


Please enter a valid integer value.

What is exception handling?

Essentially, exception handling is the modern version of error handling, where you separate error handling code from normal processing code. In the example above, all of the normal processing code (or code that could potentially throw an exception) is in a to try block, and all error handling code is in to grab blocks.

If you take a closer look at the example above, you will see that there are two catch blocks. The first takes a InputMismatchException argument; this is the name of the exception thrown if a non-integer value is entered. The second takes a Exception argument, and that’s important because its purpose is to catch any exceptions in the code that the developer didn’t find during testing.

Related: Java Exceptions: Are You Handling Them Correctly?

Test your code

You should never underestimate the power of testing and retesting your code before packaging it. Many developers (and users of their apps) find new bugs once the software is released to the public.

Thoroughly testing your code will ensure that you know what your app will do in every conceivable scenario, helping to protect your app against data breaches.

Related: How to Land Your First Software Testing Job

Take the example above. What if, when finished, you only test the application with integer values? You may exit the application thinking that you have successfully identified all potential errors when you have not.

The thing is, you might not be able to identify all potential errors; this is why error handling goes hand in hand with testing your code. Testing the program above shows that a potential error will occur in a specific scenario.

However, if there is another error that didn’t show up during testing, the second catch block in the code above will handle it.

Secure your database

If your application connects to a database, the best way to prevent access to that database is to ensure that all aspects of your application are secure. However, what if your application is designed for the sole purpose of providing an interface to said database?

This is where things get a little more interesting. In its most basic form, a database allows a user to add, retrieve, update, and delete data. A database management system is an application that allows a user to interact directly with a database.

Most databases contain sensitive data, therefore, to maintain integrity and limit access to this data, there is one requirement: access control.

Access control

Access control aims to maintain the integrity of a database by defining the type of people who can access a database and limiting the type of access they have. Therefore, a good database management system should be able to record who is accessing the database, at what time and what they have done.

It should also be able to prevent a registered user from accessing or modifying data they are not authorized to interact with.

Software security is a crucial skill for all developers

Developing good software is synonymous with ensuring that your software can withstand any malicious attack. This can only be achieved by writing secure code, continually testing an application, and maintaining control over who has access to your data.

Now that you know how to secure your software, you may want to learn more about some stages of software development.


software planning

6 Stages of Software Development Every Programmer Should Know

Read more


About the Author

Share.

Comments are closed.