How to Write Secure Code

In order to ensure computer systems are secure, software developers must be able to write code that can withstand attacks from hackers or malicious insiders. Common programming errors like buffer overflows are easily avoided, but can be disastrous if discovered by a hacker. There are many proven techniques programmers can incorporate into the software development lifecycle (SDLC) that will make their code more secure. Fortunately, there are many resources available to help programmers incorporate security into their code.

The government runs several websites that help with writing secure code. The U.S. Computer Emergency Readiness Team (CERT) maintains a site specifically for software developers. Beginners may want to start with the Introduction to Software Security. The government also publishes many documents in PDF format however you can always find pdf software that will make it easy for pdf conversion. California offers a short guide to secure coding practices. Another publication is the Software Security Checklist from the Jet Propulsion Laboratory and the University of California, Davis.

There are also software tools available that check code for common programming errors that affect security. Secure Coding offers a list of tools for static code analysis and runtime code analysis. In addition to the ones listed on that site, there are many others.

Static code checkers:

• Yasca – A free command-line tool that checks for security vulnerabilities.
• Cppcheck – A free tool specifically for checking C++ source code.
• Parasoft – A commercial tool for checking a variety of languages.

Runtime code checkers:

• Insure++ - a Parasoft product. Again, commercially available.
• IBM's Rational Purify – A free trial is available, but otherwise a commercial product.
• Holodeck – Another commercial product with a free trial.

Microsoft also has many resources devoted to teaching developers how to write secure code. Their Security Development Center has numerous links to articles covering many topics related to security and secure coding.

• 10 Security Tips to defend your code.
• Security Guidance for Applications
• 8 Simple Rules for developing more secure code.

SecurityFocus.com has a good general guide to secure coding, and another guide to programming with Microsoft's .NET specifically. Microsoft also provides an article on security with ADO.NET. Because Microsoft products are so popular, third-party tools like VBWatch exist to check Visual Basic code.

• Security Focus Guide 1
• Security Focus Guide 2
• Security with ADO.NET
• VBWatch

There are numerous books written on the topic of secure coding. Microsoft's Writing Secure Code is a standard in the field. The free e-book (in PDF format) Secure Programming for Linux and Unix HOW TO -- Creating Secure Software is also very good.

By incorporating security into the SDLC, developers can greatly improve the quality of their programs. The number of tools, books, and resources available online means every programmer has access to everything they need to produce secure, reliable code.