The source code and repositories that make up an application can represent hundreds or thousands of hours of work and comprise important intellectual property for an organization. Organizations must be prepared to take multiple levels of risk mitigation to protect the code, as well as the applications.
- Security of the software environments. Historically, security has been an afterthought or a bolt-on after an application has been developed and deployed, instead of a part of the lifecycle. When developing an application, considerations must be made for the databases, external connections and sensitive data that are being handled by the application.
- Security weaknesses and vulnerabilities at the source-code level. The MITRE organization publishes a list of the 25 most dangerous software errors that can cause weaknesses and vulnerabilities in an application (http://cwe.mitre.org/top25/#Listing). For example, if an input field is not verified for content and length, then unexpected errors can occur. Additionally, if file access or encryption is lacking in an application, then users could potentially access information that they do not have permissions for. Code reviews, static analysis, testing and validation can all help mitigate risks in developing software.
- Configuration management as an aspect of secure coding. The change control process should be tightly integrated with development to ensure that security considerations are made for any new requirements, features or requests. A centralized code repository helps in managing changes and tracking when and where revisions to the code. The repository can track versions of an application so you can easily roll back to a previous version if necessary.
- Security of code repositories. The version control system that houses source code and intellectual property is the code repository. There might be different repositories for active development, testing and quality assurance. A best practice for securing code repositories is to ensure that they are as far away from the internet as possible, even if that means that they are on a separate internal network that does not have internet access. Any remote access to a repository should use a VPN or another secure connection method.
- Security of application programming interfaces. There are five generations of programming languages. The higher the generation, the more abstract the language is and the less a developer needs to know about the details of the operating system or hardware behind the code. The five generations are:
- Machine language. This is the binary representation that is understood and used by the computer processor.
- Assembly language. Assembly is a symbolic representation of the machine-level instructions. Mnemonics represent the binary code, and commands such as ADD, PUSH and POP are used. The assemblers translate the code into machine language.
- High-level language. High-level languages introduce the ability to use IF, THEN and ELSE statements as part of the code logic. The low-level system architecture is handled by the programming language. FORTRAN and COLBOL are examples of generation 3 programming languages.
- Very high-level language. Generation 4 languages further reduce the amount of code that is required, so programmers can focus on algorithms. Python, C++, C# and Java are examples of generation 4 programming languages.
- Natural language. Generation 5 languages enable a system to learn and change on its own, as with artificial intelligence. Instead of developing code with a specific purpose or goal, programmers only define the constraints and goal; the application then solves the problem on its own based on this information. Prolog and Mercury are examples of generation 5 programming languages.
For solution, online support and query email us at .