Whitepaper: How to Select and Implement the Right Secure Coding Standard

Software security starts with a product’s initial concept and continues through the deployment lifespan. Coding standards are an effective way to build security in from the beginning of development.

Learn about the most used coding standards and find out how and when to implement them into your software development process.

How to Select and Implement the Right Secure Coding FINAL Standard_How to Select and Implement the Right Secure Coding Standard

Download the full whitepaper to get the breakdown of coding standards, plus insights on how to implement your chosen coding standard to build security into your software from the start.

Here’s what you’ll learn:
  • The purpose of secure coding standards
  • A guide to secure coding standards
  • How to successfully implement a coding standard

With the exponential increase in cybersecurity incidents, software companies are placing greater emphasis on improving application security practices. Historically, security testing happened in the late stages of the development cycle. Thanks to the rise of agile and DevOps, testing efforts are intended to take place earlier in the cycle, reducing costs and increasing effectiveness. In the case of application security, SAST or static code analysis are necessary. Organizations are now relying on secure coding standards to address security at the code level and ensure it’s built in from the beginning of development.

Before you dive headfirst into coding standards, you’ll want to start by understanding the unique functions of each standard, as well as the approach to software security they’re designed to promote. Remember, software security is a software engineering issue. It begins with the initial product concept and continues throughout the lifecycle. It’s worth noting: the software development lifecycle is often far longer than you’d think. For instance, there are plenty of computers running Windows 95 today, but security patches are mostly unavailable.

A major component to good software engineering is developing quality code. In many cases, code is held up to established best practices written into standards. Standards are used to ensure work is done properly based on recognized industry best practices. Software standards serve the same purpose.

Software coding standards are made up of best practices built upon many years of experienced, designed to harden code and avoid bad practice that result in poor quality and security. These standards promote healthy practices that create resilient code. Security standards are based on best practices in addition to guidance on how to prevent the vulnerabilities and attacks observed over time.

  • There are quite a few security standards in the software industry. Some provide general guidance on system-wide security practices and procedures, but not necessarily code-specific guidelines.
  • Others do provide specific recommendations on secure coding standards.
  • Standards such GDPR and HIPAA require sound engineering practices, but don’t offer direct guidance on software coding standards.
  • From a software code perspective, consider the standards that define explicit coding guidelines like the CWE Top 25, OWASP Top 10, and SEI/CERT.
  • There are many security and privacy guidelines available and it can be hard to know what applies to a product under development. Sometimes, the intended use of the product dictates the standard. Consider the following examples: automotive software could require MISRA or AUTOSAR, or IoT devices may require UL 2900 certification. In instances such as these, the choice is made.
  • If there aren’t guidelines established specifically for your market, it’s better to start with an easy-to-adopt guideline that can be used with static analysis and has a high impact on application security.

 Types of secure coding standards

Explicit

Implicit

  • CWE - Common Weakness Enumeration
  • OWASP
  • SEVCERT
  • PCI DSS
  • UL 2900
  • GDPR
  • HIPAA
  • DISA-ASD-STIG 

 

Once you’ve taken on a standard, it’s really important to use a smart approach to adoption. Commonly, software teams will adopt a standard and try to enforce it too stringently. Then, everyone becomes overwhelmed with the results. For these reasons, be sure to use a pragmatic approach to implement a coding standard:

  1. Cover as much of the standard as possible using static analysis.
  2. Tune the configuration.
  3. Use preventive checkers to eliminate problems where possible.
  4. Start as small as necessary and grow as you’re able to.

Remember, not all static analysis tools are the same. Every tool is more than the analysis engine alone. While the quality of the analysis is important, storage and results analysis mater too. It’s also important that your tool of choice integrates with other development tools, like IDEs and CI/CD pipeline tools. Here are the primary features that ensure quality and security, but also quicken the adoption of tools into the development workflow:

  • Support to run in your IDE
  • Support to run on build servers and CI systems
  • Centralized configuration control
  • Centralized reporting, audit and analytics
  • Full range of checkers

About Parasoft

Parasoft’s software testing solutions support the entire software development process, from when the developer writes the first line of code all the way through unit and functional testing, to performance and security testing, leveraging simulated test environments along the way. Parasoft's unique analytics platform aggregates data from across all testing practices, providing insights up and down the testing pyramid to enable organizations to succeed in today's most strategic development initiatives, including Agile/DevOps, Continuous Testing, and the complexities of IoT. Parasoft’s automated software testing innovations fuel software development organizations, helping teams reduce the time, cost, and effort of delivering high-quality software to the market.