WEBVTT

00:00.750 --> 00:05.610
Now the security plus really likes talking about secure coding techniques.

00:05.610 --> 00:10.980
Basically if we're writing applications What are some of the security issues that we need to keep in

00:10.980 --> 00:14.050
mind as we're actually generating that code.

00:14.070 --> 00:16.150
So there's a number of these that are listed.

00:16.170 --> 00:20.690
And you know what I'm just going to go right down the list as actually printed within the objectives

00:20.710 --> 00:22.130
for the security plus.

00:22.290 --> 00:24.840
There's no particular order to them so let's just get them all.

00:25.170 --> 00:29.100
However before we start talking about these I do want to make sure we're clear on one very important

00:29.100 --> 00:33.920
concept and that is the idea of comp. versus runtime code.

00:34.080 --> 00:39.720
For years what we would do is you would write code and you would write it in whatever programming language

00:39.720 --> 00:40.740
you chose.

00:40.740 --> 00:48.040
You would then run that code through some type of compiler and then you would generate executable code

00:48.300 --> 00:54.090
and anybody who's seen a piece of code with each Ex-Sea on the end or dot com if you go that far back

00:54.450 --> 01:00.790
understands that these are programs that are run on your system that run through your RAM.

01:00.840 --> 01:06.680
Most applications that we run on the Internet today are runtime applications.

01:06.750 --> 01:13.740
So what we'll have is like something built into our web browsers that can read basically highly refined

01:13.740 --> 01:14.750
code.

01:14.850 --> 01:18.570
In this case it's not compiled though it's not executable.

01:18.630 --> 01:23.520
It is interpreted by whatever client you have running.

01:23.520 --> 01:28.530
So if you have for example a web browser you can run javascript.

01:28.590 --> 01:36.030
That's because your web browser is able to read javascript scripts and then actually run them.

01:36.060 --> 01:42.120
So there's a big difference between comp. where you have executable code versus runtime code.

01:42.120 --> 01:47.580
So if we're going to be in the web we're probably talking about runtime code and things like javascript

01:47.580 --> 01:49.650
for example would be a great example of that.

01:49.740 --> 01:52.900
Let's start off with proper error handling.

01:53.250 --> 01:57.310
Any application is going to generate errors from time to time.

01:57.390 --> 02:01.720
So if we have a web app in particular you've got some choices here.

02:01.740 --> 02:09.000
First of all you want the application to recognize errors and put up a nice screen that says like oops

02:09.000 --> 02:13.530
or sorry or something like that so that it doesn't do something evil.

02:13.530 --> 02:20.520
Now here's an example of a bad error handling and I'll bet a lot of you've seen errors something like

02:20.520 --> 02:26.280
this what you're looking at here is that the actual application doesn't know what to do with this error

02:26.670 --> 02:27.720
and it has.

02:27.780 --> 02:29.550
If we're lucky it's locked up.

02:29.550 --> 02:36.540
If we're unlucky it could do evil things like allow us to have root access or actually get into the

02:36.540 --> 02:37.880
system behind it itself.

02:37.890 --> 02:40.960
So proper error handling is absolutely critical.

02:41.730 --> 02:44.730
Next is going to be proper input validation.

02:45.060 --> 02:49.910
Every application there is has some kind of input some kind of dialog box.

02:49.920 --> 02:55.750
So let's say for example I've got an application that wants to actually have you enter.

02:55.890 --> 02:58.260
I don't know an e-mail address like we see here.

02:58.620 --> 03:05.400
So as we're entering this e-mail address we want the application to validate that it's a good e-mail

03:05.400 --> 03:10.560
address and you've probably seen this where if you don't type in something that looks like an e-mail

03:10.560 --> 03:15.930
address with an app side or something like that the application kicks back and says Try again.

03:15.930 --> 03:17.570
You could go even further than that.

03:17.640 --> 03:23.460
You could have somebody enter an e-mail address and then you could even have it then query that domain

03:23.460 --> 03:26.730
like total dot com and verify it's a legitimate domain.

03:26.730 --> 03:32.410
So that's really up to you in terms of what you want to do with input validation.

03:32.440 --> 03:34.860
Next is normalization.

03:34.930 --> 03:38.170
Databases can be big onerous items.

03:38.170 --> 03:41.900
And one of the things we want to avoid is replication of data.

03:42.190 --> 03:49.180
When we normalize a database we use tools like for example indexing to take what could be just one database

03:49.480 --> 03:57.160
and turn it into two or more as needed to allow us to have zero or little replication of data and more

03:57.160 --> 03:59.730
efficiency within the database itself.

04:01.240 --> 04:03.930
Next are stored procedures.

04:03.970 --> 04:10.140
Now if you're going to query a database you should be doing things like for example proper input validation.

04:10.150 --> 04:15.570
Now if we just leave it to the individual pieces to handle all this we could run into trouble.

04:15.580 --> 04:23.320
So what we often do is we insert a stored procedure between those which are queering and the database

04:23.320 --> 04:24.030
itself.

04:24.190 --> 04:32.740
So what will happen is that the individual items will then query the stored procedure and then the stored

04:32.740 --> 04:37.640
procedure will do input validation whatever needs to be done and then we'll send that to the database.

04:37.690 --> 04:41.310
Stored Procedures protect databases.

04:41.320 --> 04:43.380
Next is going to be encryption.

04:43.390 --> 04:48.300
Now we got to be careful with encryption because we're going to talk about encryption again in a minute.

04:48.310 --> 04:54.310
But what I'm talking about right here is really what we're calling code signing your code itself is

04:54.310 --> 04:55.210
precious.

04:55.240 --> 05:00.490
We don't want people to be messing with the code if we have updates we want to be able to control those

05:00.490 --> 05:01.270
updates.

05:01.270 --> 05:08.500
So what we do is we actually digitally sign our code so that whoever's getting that code can know that

05:08.500 --> 05:10.630
it's in good order and it's in good shape.

05:10.630 --> 05:13.130
Remember we'll talk more about encryption shortly.

05:14.490 --> 05:18.250
Next is obfuscation or camouflage the same thing.

05:18.270 --> 05:23.310
There are situations where you don't really want to go through a full blown encryption of code but you

05:23.310 --> 05:28.590
don't want to make it that easy for people to for example reverse engineer it and copy whatever you've

05:28.590 --> 05:29.720
come up with.

05:29.730 --> 05:37.310
So if you take a look here here's an example of a man a fire tool used primarily with javascript.

05:37.590 --> 05:43.410
If you look on the left hand side you can see the actual javascript code itself on the right hand side

05:43.410 --> 05:47.970
is the exact same code this time using a minute fire.

05:47.970 --> 05:55.530
So the minute fire gets rid of excess English words it compresses spaces and carriage returns and leaves

05:55.530 --> 05:58.660
pretty much nothing more than the runtime code itself.

05:58.770 --> 06:04.440
Next is going to be code reuse and well we'll throw this in the same time dead code.

06:04.440 --> 06:10.730
All this means is that in any application if you can reuse known good code do it.

06:10.860 --> 06:16.650
So that basically means from a coding standpoint you want to break down as many functions as possible

06:16.650 --> 06:21.720
into individual pieces so that different parts of your code can continue to call it over and over again

06:22.050 --> 06:28.060
as opposed to writing the same thing two or three or four or six hundred times with the risk of error.

06:29.090 --> 06:35.760
On the same token dead code is simply code that we're no longer using a lot of programmers are tempted

06:35.760 --> 06:38.740
to keep dead code in their applications.

06:38.760 --> 06:44.450
The motivation being they might need it or something like that a good rule is get rid of dead code.

06:44.470 --> 06:45.710
Cut it out.

06:45.730 --> 06:51.340
The danger to dead code is that sometimes bad guys can take advantage of little inconsistency in your

06:51.340 --> 06:53.170
code to do naughty things.

06:53.170 --> 06:56.520
So go ahead and just take that dead code out of your systems.

06:57.590 --> 07:04.790
The next issue is going to be server side versus client side execution and or validation to make this

07:04.790 --> 07:05.680
more clear.

07:05.870 --> 07:09.950
Let's set up a situation where we have a server and a client.

07:09.980 --> 07:16.040
Now in this particular situation the server is serving up some web application and the client has a

07:16.040 --> 07:19.760
web browser up actually accessing that web application.

07:19.820 --> 07:24.980
And let's say one of the things that this web application does is it has a dialog box or type in your

07:25.340 --> 07:28.160
first name last name email address whatever.

07:28.160 --> 07:30.840
And then process that in some way.

07:30.860 --> 07:36.800
So if we do this on the client side what we're doing is not only do we thought the form on the client

07:36.800 --> 07:43.670
side but we'd also perform for example input validation and then generate the query and just send the

07:43.670 --> 07:47.150
query over to the database on a server side.

07:47.150 --> 07:53.290
All we're doing in this situation is we fill out the form and then we send all the data.

07:53.300 --> 07:54.370
Good or bad.

07:54.500 --> 08:00.490
Over to the server and then the server performs input validation and generates the query.

08:00.500 --> 08:06.040
There are good and bad aspects to both of these and it really depends on what you're trying to do.

08:06.050 --> 08:12.620
Keep in mind that if you do stuff client side you're putting a lot of onus and a lot of security on

08:12.620 --> 08:18.200
the individual clients and you tend to be sending a lot of code to the clients on the server side.

08:18.230 --> 08:20.900
You tend to put a lot of work on the server.

08:20.900 --> 08:26.360
Things like encryption for example really come into play here depending on if you're just sending a

08:26.360 --> 08:29.900
little bit of data to the client maybe encryptions not a big concern.

08:30.050 --> 08:35.670
Whereas if you're taking important chunks of a database and sending it down to individual clients then

08:35.670 --> 08:37.910
scription can be a really really big deal.

08:37.910 --> 08:40.460
Next is memory management.

08:40.460 --> 08:44.240
The bottom line is that all of these apps use memory.

08:44.240 --> 08:49.220
Now I'm not so worried about on the server side although that can be an issue but this really does become

08:49.220 --> 08:50.850
an issue on the client side.

08:50.870 --> 08:57.000
It is trivially easy for us to make big ugly applications that eat memory.

08:57.050 --> 09:02.860
So not only do we make programs that eat memory but we can actually inadvertently put in memory leaks.

09:02.870 --> 09:08.420
Anybody who remembers Firefox five or six years ago maybe a little more in that it was a bit notorious

09:08.420 --> 09:10.560
for eating up all the RAM in your system.

09:10.730 --> 09:13.190
Whenever you ran some types of Web Apps.

09:13.190 --> 09:14.370
Firefox is great now.

09:14.390 --> 09:16.180
I love Firefox.

09:16.280 --> 09:21.410
The process of memory management usually can be a little bit involved but it has to do with a lot of

09:21.410 --> 09:22.140
testing.

09:23.370 --> 09:32.580
Next is use of third party libraries and software development kits all web apps use lots of third party

09:32.580 --> 09:33.500
libraries.

09:33.750 --> 09:40.890
Here's a little snippet from the total seminars told testor online showing just a few of the different

09:40.890 --> 09:47.910
types of javascript apps that we actually bring in to make our total testor online work.

09:47.910 --> 09:53.100
For example here's one little guy and this little guy called chart his job is to do one thing.

09:53.250 --> 09:56.030
Help us make pretty charts like these.

09:56.040 --> 10:02.410
The downside to third party libraries is that they can be big security issues.

10:02.550 --> 10:09.540
A lot of times bad guys will not be able to attack your app itself but they'll find a weakness because

10:09.540 --> 10:13.730
a lot of these apps are used by hundreds of thousands of people.

10:13.770 --> 10:19.920
So if a bad guy can find a weakness in one of these third party libraries well they can take advantage

10:19.920 --> 10:25.230
of lots of people not because you've written a bad app but because a third party library that you lead

10:25.230 --> 10:26.840
on has a weakness.

10:26.850 --> 10:31.860
The bottom line here is a lot of stain on top of things and lots of patching and making sure you're

10:31.860 --> 10:36.000
aware of weaknesses and vulnerabilities as they appear.

10:36.000 --> 10:40.580
The last one is data exposure and that's where I really want to talk about encryption.

10:41.590 --> 10:48.820
If you have data that is a part of your app some of that data has risk of exposure.

10:48.940 --> 10:58.300
And our job as developers is to reduce if not eliminate any risk of that data exposure especially if

10:58.300 --> 11:02.710
it's personally identifiable information or personal health information.

11:02.710 --> 11:07.410
We almost always today go through aggressive encryptions any time.

11:07.570 --> 11:13.050
If for example we bring some data down to a client I promise you a good app.

11:13.180 --> 11:17.150
All that information is always encrypted it's really not even.

11:17.380 --> 11:19.950
There's not even excuse to not do that anymore.

11:20.170 --> 11:27.450
So make sure if you have data exposure you're going to be using lots and lots of encryption.

11:28.150 --> 11:32.830
We covered a lot of different secure coding techniques in this episode.

11:32.830 --> 11:38.110
Now look Security plus is not trying to turn you into a code head but it is expecting you to understand

11:38.350 --> 11:45.450
some of the basic concepts of all of these very important secure coding techniques.