Architecting Secure-First Software for Developers by Mahesh Chand | Code Quality Conference 2023

thank you david for having me at this code quality conference this is amazing

you're doing this for you know 30 years in a row um today i'm going to talk about how to build

secure first software and secure first is term i just coined out there um and then i'm also going

to bring a guest a little later simon just watch out for praveen malik he's going to come

He can join the show whenever he's available, but I'm going to bring him a little after 25 minutes or so

Praveen is actually a vice president and senior security professional, works with large corporations

And right now he's a vice president of security at a big bank

So he will talk about some as well. So, yeah, let's get this started

My name is Mahesh Chan. I'm founder of C sharp corner the the community that's bringing this conference I also founded

mindcracker Inc it's a consulting firm here in Philadelphia my background is software architect

so I work a lot of software architecture when we are building new software and that's how I got to

learn all these tips and tricks which we are going to share we are going to learn today here in this

session is um so what are we going to learn in this session and who this for this session is for

software architects um software developers anybody who wants to learn how to build secure software

and the we will also a little bit talk about what is security first design principle is

what does that mean um you're going to learn how to build a secure front ends what you look for

when you're building secure back end talk about some it security and then i'm going to add some

twist to this security is the how the how current you know ai and blockchain can add the the layer

of security to your software and i'm sure you have heard of ai in blockchain by now

yeah in blockchain are going to play a major role when you're building a secure software

so let's get started um so what is security first design principle this is not somebody

there's not nobody invented this called security first design principle i just

created this term just to make separate my session so the idea with security first design principle

is when you are building think about when you're starting a new project when you start

starting a new software project. It can be a website, it can be a mobile app, it can be an enterprise app, it can be a large system with multiple apps

So when we are designing this first time as software architects, we don't put security as a part of our design and architecture phase

Security first design principle says that security needs to be part of your design and architecture phase

It cannot come later. Right now, in most cases, what we do is we build the software using some of the more of those frameworks

And then we think of security later. And we rely a lot more on IT security

as a software architects and developers we automatically assume that when we are building

this app it's going to be secure by the by the it security of that company or cloud hosting and so

on and so forth but that's exactly where we get it wrong as a software architects and developers

it is also our responsibility to build secure software hopefully that makes sense also please

please please please feel free to ask your question post your questions i'm going to take

these questions a little later part of this session i'm not going to show you any coding here

i'm not going to show you any hands-on all i'm going to do is talk through these that as an

architect when you're building a new software what you need to think and write you know there's

detailed articles are already published on these topics on c-sharp corner so if you want to go

learn how to do that how it's being done there is a bunch of articles i have written in somebody

some other authors have written on c-sharp corner so anyway first point is that when you are

designing and architecting a new product you need to think about security at that point right there

and make that as part of your design and architecture phase second is enterprise-wide

awareness of security is very important what i'm seeing again and again and we all seeing this again

and again that entire enterprise does not know or concern or understand the security

everybody at least in your it team should understand should know either it's a is a

backend developer front-end developer engineers architects devops testers even it guys they may

not involve in design and architecture phase they may not involve in security decisions but they

should all understand what software security is what are the what are the consequences if you

don't write a secure software if more awareness we build within organization better i think we will

build these systems and give you an idea the security is probably one of the major concern

in its IT field today. There was a survey there that 65% of CTO and CIOs are

they can't sleep because of their security of their data and their applications

That's a big number. And there's billions of billions of dollars being spent each year

on not only just giving money to the hackers, but also figuring out how to secure their data

Billions of billions. it's a big number out there also there is going to be a big lack big shortage of actually our

security professionals in coming time so this is also a good feel for anybody younger students or

somebody's trying to get into it space security is a big big big area where there's going to be

a big demand coming up and it's right now there's a lack of security professionals

so let's let's get this going so this gives you a little idea when you you know to me what i'm

trying to point i'm trying to make here is that whenever you're designing a new software make sure you spend a little bit time on security

so let's talk about the software security when you think of software security

there are five major areas where you know you need to think that how to secure these areas there's a

front end, back end databases, servers and network. And each of these security is managed

and implemented by different people It not just one person that does all of the security Okay that where we get it wrong we think that as a software developer and i used to be same way as a software developer back in the day

i used to think is that all i have to do is build an application build a website

and then my company it security team is separate they will take care of it but that's another

problem is that in our bigger large corporations the it teams with this that manages security

they don't really talk to developers because they don't talk to each other that's when there is a

gap between understanding the security as a whole so communication between these two teams is very

important either you are a dba either you are a it security either you are a cyber security you

are a developer you are trying to build secure app they all have to think as a it's a it's an

enterprise wide application uh implementation okay that's how we have to think so in this uh

today's session what i'll do is i'll run through these front and back in all these areas and how to

you know some of the tips out there what you can do to build these secure all these you know think

of this like you have a home in your home you have these five windows and doors front end back

and in apis databases servers and network then how do you secure all of them if one of them is not

secure if you're let's say you have a home and it has 11 doors and windows and one window a small

window is open hackers can just get in there thieves can come in there from that one window and

steal it it doesn't matter if your rest of the 10 windows and doors are secure make sense hopefully

that makes sense all right so front-end security front-end security and a lot of people think that

the hackers always come direct to the servers or databases and they hack their applications but what

we learn in recent data is that majority of a hack happens actually from the front end from

the applications through applications and that's why i keep saying that build secure software your

app can be the app can be the gateway to these hackers to come in even though your it is amazing

they have done secure all the things but you know hackers can come through your your your application

so there are here are some eight of these top top things you should look for or implement when you

think about front-end security first of all make sure that all websites connection strings public

facing anything you have they are secure https and that so the so the all transfer data transfer

is secure and encrypted at least that should be the first thing second thing is very important what i

see again and again and again a lot of developers they put their connection strings or login

credential credential somehow some way in unencrypted way in the in the application files

that's totally wrong because somebody just get into your config file or your setup or whatever

file you're storing them or even in the code or even in the i see i see some developers web

developers storing plain readable connection string in java these html and javascript files

that's a a very easy invitation to hackers all they need to do is get access to your files and

And now they can just read your connection string and go to your database. Then third thing is enforce complex passwords and rules

That's very important. And again, IT may do that, but this is also a role of software developers

And I'm still building software, you know, building these apps. And none of the developers start with implementing these complex passwords unless I go back and say, hey, these are the rules for passwords

So when you are architecting your new software, you make sure that all these are written there for developers that what kind of complex password you want to implement

Where do you want to store your connection string? Are they encrypted or not? Same thing as DTPs, right

If you are asking user to put some input scale, you make sure you have Capshine and other tools and make sure that the bots are not enabled

like sometimes you can disable any external bots you have to put extra file on there

so even google and all that they are not tracking your republic facing websites

owasp is another great uh way to um to learn about some of the security if you go search

owasp there's a website dedicated to that it has some industry standards um and there's tool

to test that too for your associate check that out that will help you as well number six is uh so i'm

sure some of you understand client-side coding versus server-side coding um and these recently

because of you know javascript and browsers are being so powerful these days there's a lot and

and lot more coding going on client sides versus the server side

So more and more developers are executing their code JavaScript in the browser

And there's a lot of JavaScript there. The JavaScript is number one programming language used, right

So when you put your code and execute in a client side, this has more chance of hacking

than compared to your code being executed on server side because servers are more secure

So just think about if you are building something very, very secure, the security, you have some data you don't want to expose to the entire hackers

Try to see, can I implement this server side? So some of your code can execute on the server side rather than on the client side

And exception and error handling, they have to be part of from day one. day one i see that again and again and again because developers trying to rush things and

they're like oh let's get the functionality done and put it out there we will come back and

implement these later the later never comes some companies have best practices they are good design

practices their architects are great they're following them but i see most of us don't but

again just because your company doesn't have a standard doesn't mean you as a software developer

or architect cannot enforce within your project. This is very important. And definitely don't rely on server security

You cannot just say that, oh, my IT is going to secure everything. I'm not worried about it

All I have to do is build an app. So based on my 25 years of experience

working and writing, building the software for enterprises, these are some of the eight things

I found that we as software developer must, must, must, must focus on these things

So, okay, so we learn about app front end security. Now let's talk about data security

Data security again, data is probably the most important part. If, if you know, most people who most hackers or anybody, they all they're going, going

after the data, right? They not really they don want to really steal your code They want to have access to code so they can really get to the data data is the one in your databases that that has you know what they really looking for either it a credit card information or is it your your healthcare data whatever it is that

really they're trying to get to so here are seven tips that i think as a software developers or dbas

or data professionals or data developers if we can implement some of these um this will help right

so encrypt sensitive data that's when i look at any software application uh recently we're trying

to you know acquire or purchase this software product and i found that the code is written is

so unsecure that I like we can deal with this. So make sure any data that's stored in databases

is sensitive should be encrypted. In these days database already have these features you don't have

to write extra code you don't have to do much about it. So for example if you are storing a

you know I don't know data birth social security credit card information password they should those

columns should be encrypted in from the database side already so if i go and log into my database i

don't think i should be able to read those sql injections and that's where when i was talking

about in my last slide is the front end 62 of cyber attacks actually happen through sql injections

so do not use i if my choice is do not use embedded sql um yes and then if there is some

data where you want this is new thing number fourth is new thing if if there is a data that

you don't want anybody to tamper with or change with it's like for audit purposes you like this

data can never be changed then microsoft launched something called sql ledger check that out it's

a service it's a database service on azure where it's a immutable ledger it's just similar to what

the blockchains use that means once you write a transaction or once a row is written in that

database nobody can ever go change or delete that and that's very useful for some some some

applications where you're trying to make sure that there cannot be fraud or changes later if

something is done it's just done there it's written there and then number five is make sure

you have so number five is it's funny um when a lot of companies the application developers and

senior developers they also manage databases when they manage databases they're using the same admin

login for everything they use a same login for the connection string they use same login to give

access to themselves or developers so this is totally wrong i think you should have separated

roles and users for applications if there are multiple applications they should have different

users for those and they should have access to those data only so if you have for example

multiple applications running from the single database then application roles the user role

should be defined so application based users can have access to that data only so think about that's

how it should be architected um and yeah keep by default access by default it should be read only

for all users for example if you want to give one user access right on right only or edit permission

on say one table then enable on that only not just enable on the entire database so that will have

some like secure at least some kind of security on your back end side um yeah apps definitely app

logins dbas admins developers they all should have different logins if there are five people in the

team you should have five logins don't give everybody same logins otherwise hard to really

track who did what what happens what application had these problems and so on so forth

all right keep those comments coming guys hopefully i'm making some sense um this um

just keep those comments coming we will take your comments in the in the end of the session

all right um backend and api security similar to the front end and database backend is also

very important same with the api make sure you secure api token base authentication is the way

to go right now you also separate read-only versus rat-only apis unless you know some you can't really

depending on the architecture of the api but if you are able to implement only for example

if you're building an api just read only for public just go i like just keep it separate

don't mix a read-only and riot api together um or you have to figure out that users who are

accessing don't have those you know post permissions just the get permissions right

um obviously do not share uh store sensitive data and plain text that's how we also discussed in the

previous two so some you remember twitter twitter got hacked and millions of millions of users the

password got stolen because they were storing their password in a plain text file no so do not

store this kind of data in plaintext. Validation is very important. Make sure that a lot of

hacks happen because the UI in the back end, they don't do validation on these parameters

and data being inputted. Logging and exceptions are very important. Make sure they're implemented

This was also mentioned in the previous screens. Make sure you use your password hash and secure

token that's again you're encrypting all sensitive data never expose sensitive data in url sometimes

you know we are passing these login credentials in the urls user ids or whatever that should not

be there and then try to implement some of the industry standard uh you know authorization and

authentication mechanisms a lot of frameworks like microsoft has their own you can use those

you can also integrate some of the external you know security um log in these

third-party apis or often bunch of others are out there you can implement those um time stamp is

important for all requests so even in the backend so at least you know what time what user called

what api these are pretty standard it just make sure you have a checklist of these so when you are

architecting and building this in the software or writing code see if you have check check check

make sure you have checked all of them all right now let's talk about server security servers are

back-end the securities right so um and then this is pretty standard it's not something i didn't

really invent this part it's a they're pretty standard out there make sure you have lesser

security patches and updates installed every every you know day almost or every week uh most there a lot of patches coming out with new new you know new uh you know fixing new problems and hacks and all those make sure you install

those latest patches obviously firewall and ports are this is not really for software developers by

i put this slide anyway but third point is good with developers and architects make sure you have

separate environments for devq and prod and also you have separate users too actually i see the

same users login passwords are being used in qa dev prod yeah it's good it's easy for us not to but

it's sometimes this could lead to this hack because um you know developers store these password in

text files they send an email they share on their skype chat they share on slacks and so on so forth

So hard drives when data is being stored, make sure you have different read and write

permission files because some users don't read only, only few you need write only

So you can don't try not to use the same drive. For example, if you have a large storage where you're storing files and only few people have

access to write permissions, maybe you want to have also separate the storage as well

script by default these are already by default done for you from your it department but just not

as a developer or architect you want to make sure that these checks are there these are already

taken care for you a limited number of to have access separate database and web servers yes

that's another thing if you can do it i know for a smaller application and startup it's hard to do

sometimes but databases should be separated than web servers and again regularly monitor app logs

server logs traffic that should be part of this even as an architect of an application you should

be monitoring checking what's going on with your application it's health these days if you are

deploying applications say on cloud like azure or aws they already have services there that can give

you all this information um yeah and audits right audits very important um i think every year every

company that is um managing this sensitive data for example you know insurance and bank and accounts

they do these regular audits i don't think as a developer you can do anything here this is more

like a it policy but they should be happening um regularly so now there's two things i'm going to

add here these are new for some of you if you are already know that that how blockchain and ai

can actually help you uh build secure software so blockchain if you don't know much about i have

written a detailed article on blockchain multiple of them on c sharp corner and if you search what

is blockchain on c sharp corner what you know you will see that that so it's good it's actually

really good for securing data that's what it's for really because data is decentralized and

distributed and data is stored multiple nodes so hackers even they though try to come hack into one

of the computers they just can't do that they use blockchain is cryptography uh cryptography from

the scratch so each block contains a cryptographic edge so if somebody's trying to mess around with

one of the blocks and data it's just not and it's impossible in blockchain blockchain is immutable

in tempo resistance what does that mean that means you can't just go and edit any record there

you can not delete data there it just you know you can only add to it and it uses consensus

mechanism so even before data can be updated or i mean added to the blockchain there's a consensus

mechanism that multiple these nodes running the blockchain they have to agree and then approve

before the data can be written on blockchain it increases transparency and auditability so

ai is also i mean a lot of companies are already using ai in security microsoft has been doing this

and they're adding more in you know and they're on their azure platform but even companies it

companies use ai tools a lot now and they can help you in these threat detects and preventions like

ai algorithms can be used to yze large amount of data for example your log files

network traffic and even user behavior as a matter of fact we are using on c sharp corner

we are building the next platform next version of next iteration of c sharp corner and ai is

a big part of us so we are using uh user behavior big time in that so next c-sharp platform launch

uh is you know going using both blockchain and ai malware detection again machine learning is being

used when deep learning being used for identifying this there is security automation and auto

responses user authentication behavior so these are some of the points uh you need you can think

when think about building a next generation software that is secure that that's what point

you can make these notes i'm happy to share even these slides to give you some list of the points

to consider so let's bring our guest now i think we are right on time it's been 30 minutes i kind

of tried to run through that bring our guest proven malik here and we will talk to him about some of

Okay, somebody is calling. What's going on here? Stop sharing, I think I can stop sharing

Let me do that. Hey, Praveen

Praveen, can you hear me? I can't hear you

Hi everyone, this is Praveen Malik. Can you hear me? Yes, are you on audio or not on video

Please let me know if you guys can hear me. Yeah, I can hear you

I guess you can hear us. But you can hear us, right

So as we were talking about the application security, so I think Mahesh already

convey a lot of information about the application security. So there are various tools are there for the application security

Some of the names of that very popular tools are the Vara code. Vara code is basically an

applications security platform that performs various different type of ysis which include static ysis dynamic ysis software composition

ysis interactive applications security testing and prediction testing so it also provide that

on-demand expertise and aim to help the complex vulnerability fixes. Then second

tool is the Qualys. The Qualys is a cloud platform which is earlier called as the

Qualys Guard. It is a basically a San Francisco based company which is having

various different modules which include the vulnerability management where means from the servers or you can validate that vulnerability from there then it is

also having a cloud testing so where you can validate that cloud vulnerability is

from the container and others and then means application security related issues also it can

validate it also having a policy compliance where it will look into that the settings whether we are

having the right settings into the systems and validate that with the industry standard like

NIST based compliances, whether all the settings are as for the NIST compliance or any other

compliances we can validate against that one. And then another module is web application

security. In that security it will validate end-to-end application security which include

the web application the backend connectivity to the databases and it can also validate some of the security based application or code based security as well so that is a really good tool to use it uh then another other tools could be the sonar

cube sonar cube is a basically it is a core component of the sonar solution it is a open

source solution and the self-management tool that systematically helps developers and organization to deliver the clean codes so in that tool you just configure your

github or the code in that one one it against it it will validate that

various OWASP top 10 related vulnerabilities in that one which I was seeing that Mahesh

was explaining very clearly that these are I mean as a developer we should take care

of these top 10 things and it again means validate against that one as well as it also

validate that the end of the life and other vulnerabilities also where we can see that

means any of these very known vulnerabilities is in the code is available and if it is it

will it can map it and it can tell you that what is the best solution for that it will

also give a kind of a guidance that instead of this code how you can change to a better secure code The next tool I can talk about is the Git Guardian Git Guardian is again internet monitoring Help organizations to detect and fix the vulnerabilities in source code at every step of software development lifecycle

With that, Git Guardian policy compliance engine security team can monitor and enforce

the rules across their VCS, DevOps and infrastructure related vulnerabilities as well

Other tools is one of also popular tool is Armour. It is a cloud mobile security solution

The vendor value proposition is that the solution was proposed built in deliver the highest level

of defense controls for the application for the organization's critical data no

matter where the data is hosted we can confidently validate the security

settings of these mobile applications I would there is again so many are there

but the last one I would like to go with that the via via app defense it is

basically a hypervisor native workload protection platform for enterprise virtualization and security teams and it delivered the most secure virtual

infrastructures which simplify the micro segmentation planning by providing that deep application visibility and reputable scoring system With that it also provides a validation on that what is the priority means it can give

you that if ten different vulnerabilities are there in the code so it will say that

okay you may not have that capability to remediate all of them so it gives you

that what should you be the priority and based on that priority you can also give

you a best effort to remediate those applications related to vulnerabilities so I think I got around ten minutes from Mahesh so I have already taken it so

giving back to the Mahesh. That's great Praveen, good tools. There's a good number of tools out

there and I'll publish it. Maybe I'll get more details and publish this somewhere list and add

a slide. But as you can see, Praveen, he has a real world experience. That's what he does

These are a bunch of the tools IT companies use. I don't expect developers to go and use all these

tools but if you can do one or two and you know see how to work with IT teams and maybe

just say hey can you demos how you guys use the sonar cube and this qualis tools and all that so

at least you get an idea as a developer that you should think about when we are writing code