South Plains College
Information Services (SPC-IS)
Secure Coding Standard: I-E(f)
Purpose and Benefits
Higher Education organizations are under constant cyber-attacks that attempt to exploit computer system vulnerabilities, thereby threatening the confidentiality, integrity, and availability of information. Many vulnerabilities successfully exploited are due to software coding weaknesses and coding implementation flaws.
This coding standard's objective is to ensure that code is resilient to high-risk threats and to avoid the occurrence of the most common coding errors that create serious software vulnerabilities. While writing code entirely impervious from all likely attacks is impossible, implementing these coding standards throughout information systems will significantly reduce the risk of information disclosure, alteration, or destruction due to software vulnerabilities.
Scope
This standard includes all code and scripts written by SPC personnel or contractors hired by SPC to provide coding services.
Information Statement
As per the Information Security Policy: I-A, all software written for or deployed on systems must incorporate secure coding practices before being deployed in production to avoid common coding vulnerabilities and be resilient to high-risk threats.
The items enumerated in this standard are not an exhaustive list of high-risk attacks and common coding errors but rather a list of the most damaging and pervasive. Therefore, the code must contain mitigating controls not only for the items articulated explicitly in the standard below but also for any medium- and high-risk threats that are identified during a system’s life cycle.
High-risk threats include, but are not limited to:
- SQL Code Injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Information leakage and improper error handling
- Missing Authentication for Critical Function
- Missing Encryption of Sensitive Data
- URL Redirection to Untrusted Site ('Open Redirect')
At a minimum, code must eliminate or mitigate the threats identified in the current version of the Open Web Application Security Project (OWASP) Top 10 Most Critical Application Security Risks (‘OWASP Top 10’) and the Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Software Errors (‘CWE/SANS Top 25’) publications (see Appendix A).
OWASP and CWE/SANS periodically reissue their respective lists based on vulnerability and exploitation pattern changes. Developers must independently remain aware of updates to these lists and incorporate any new recommendations.
Standard security control libraries and APIs that have undergone security testing are required to ensure a consistent approach that minimizes defects and prevents exploitation. Publicly available or vendor-supplied libraries or APIs should be used unless a business case is developed and an exception is granted by the Information Security Officer (ISO) or the designated security representative to develop a custom library.
Code must be checked for errors throughout development and during maintenance to prevent defects or detect and remove them early, thereby realizing significant cost and schedule benefits to the entity.
Entities must verify that the vendor's software assurance model complies with this standard through vendor assurances, security testing, and/or contract requirements.
Compliance
This standard shall take effect upon publication. Compliance with all SPC policies and standards is expected, and policies and standards may be amended at any time.
If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Information Security Officer’s exception process.
Related Documents
1 TAC § 202.76
Open Web Application Security Project (OWASP) Developer Cheat Sheets
Open Web Application Security Project (OWASP) Enterprise Security API
Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Software Errors ‘CWE/SANS Top 25’)
Common Weakness Enumeration (CWE) List
Carnegie Mellon Software Engineering Institute CERT Secure Coding Standards
Texas Security Controls Standards Catalog Control Group: CA-2, CA-7, CA-8, CA-9, CM-4, CM-7, CM-10
NIST Function Groups: DE.CM-4
Appendix A: Coding Resources
Open Web Application Security Project (OWASP)
The OWASP Top 10 is authored by OWASP, an open-source application security community project which aims to raise security awareness of web application security risks. Although OWASP is focused on web application security, the standards and controls presented by this organization are generally also applicable to non-web based information systems.
In addition to the “Top 10” list, OWASP also produces the Enterprise Security API (ESAPI) library and developer cheat sheets. The ESAPI library is an open source, web application security control library designed to mitigate risks to web applications. The ESAPI library provides a framework to implement code to address the risks listed within the OWASP Top Ten project. The cheat sheets provide a concise collection of high value information on specific web application security topics.
Additional information regarding OWASP, the ESAPI library and the Top Ten project is available at https://www.owasp.org/.
Common Weakness Enumeration/SANS
The CWE/SANS Top 25 Most Dangerous Software Errors publication is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. The publication is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The MITRE website provides detailed guidance to software programmers for mitigating and avoiding each of the common weaknesses enumerated within the Top 25 list with the Common Weakness Enumeration (CWE) List.