Finacle - Secure Coding Practices

www.infosys.com/finacle

Universal Banking Solution | Systems Integration | Consulting | Business Process Outsourcing

Secure coding practices

Thought Paper


Thought Paper02 Thought Paper 03

Secure coding practices

Overview of code security

Security breach in coding

Writing good code is an art but equally important is programmers’ awareness of secure code practices, and the care they take when

While defining variables, programmers need to first assess memory space to be allocated, and clearly define the individual scope of reference variables while passing references inside functions. In languages such as C++, defining and using pointers is good practice as it improves performance and speed, especially in the case of applications like core banking where there are multiple users. But on the flip side, this poses enormous risk to data security as pointers can be accessed from outside and variable values can be manipulated.

Programmers should follow secure coding practices while dealing with arrays, linked lists, stacks and vectors, which are the linear data structures normally used in coding, always keeping in mind that size of such data structures should be strictly limited to the space required. Location – the physical address at which these structures are defined – is an important aspect as well. In addition, it is essential to restrict

Security breaches in coding are primarily of 4 generic types:

Code injections: In most of the functionalities where end users are allowed to upload file content, they can also inject codes in the Web server. These codes can perform malicious acts and pass valuable system information to hackers.

defining variables and structures and passing references and pointers from one module to another.

access to the structures using proper access controls such as “public, private or protected”, inside the code.

Another thing to be kept in mind is that variables, used normally for handshaking between two modules – say, loans with payments – should have a restricted set of values defined. These variables are normally static and their scope should be defined within certain boundaries.

Also, it is always reco-mmended to perform code audits before implementation, so that potential code vulnerabilities can be fixed. For that, the code auditors should be enabled with proper know-how about individual languages and related secure code practices.

Moreover, programmers should be aware of specific security related features of each programming language. Code review by experts ensures that programmers implement good security practices.

Malware passing/hosting: Malware, which is software written to perform malicious activities, can be passed inside Web interfaces if codes are not written securely.

Insecure database calls: Generic database calls require variables like database passwords and names and user names that are generally accessed


Change management and version control

General secure coding practices

In general code writing practices, version control is achieved using version numbering. Secure practices need to be followed during the change management implementation process. The changes in code should be highlighted

with details and code review should be done before deployment. Also, the vulnerabilities due to new changes in code should be addressed explicitly.

through static storage variables or properties files. It is important to write these calls in a manner that passwords and user names can be generated at run time and passed in the program. It has been observed in security audits that many enterprise applications use hardcoding of passwords and other parameters, which is a wrong programming practice.

Properties file misuse: Properties files normally used to access basic data, contain lists of unencrypted variables whose values can be

modified by system users. If such files are used, the variable values should be stored using interfaces and in encrypted format. However, it is recommended to avoid these files altogether.

Further, if the property file of the server is compromised, hackers can overload its access methods and misuse them. It is preferable to create combination keys with two or more resources instead of using just one properties file. These can be run time generated and passed to required modules.

Concept of no tolerance

When coding, the tolerance related to variable length, scope and accessibility should be predetermined and only the required scope should be allowed. The tolerance for variable length should be optimized. Scopes for generated objects should also be predetermined. Ideally, code should not rely on variable scope predefined by the compiler.

Certain thumb rules of secure coding

Vertical and horizontal code drafting practices/Code Orientation: Although code drafting methods might change as per language specifications, the normal way of writing code is either vertical cascading or horizontal splitting of code. The vertical cascading method helps programmers to understand the code whereas horizontal splitting enables them to define the scope of functions and variables.

Variable declarations: When variables are declared in code, the variable length and scope of variable access should be predetermined; declarations should be made accordingly. Use of fixed length variables should be avoided and preferably, variables should be defined with dynamic memory allocations. Many new compilers like VB and VC++ support postponement of variable declaration by mentioning only the variable name and not the type. In such cases, variable types and properties should be determined within the scope without any overload of unnecessary features. In languages that support object referencing, programmers should avoid making multiple copies of the same variables.

System level and semaphore variables: In cases where shell variables are used, variable values have to be sanitized. It is preferable to initialize values and not to assume default


Object oriented principles

Code level security for Web applications

Partial and full implementation of Object Oriented Programming (OOP) and security: OOP is in line with best security practices, with some exceptions. For instance, high usage of friend and virtual functions makes code more insecure and prone to compromise. Well-defined scopes like public, private and protected, secure the code. Certain programming languages like Java do not support multiple inheritances, thus protecting the methods defined under classes.

Data abstraction and multiple inheritance linkages: Programmers should avoid using

While SQL injection is a common Web vulnerability, it is also important to write optimized queries in order to secure the data objects. This ensures the safety of the SQL output artifacts and also improves performance of database calls. Also, retrieval of unnecessary database column values should be avoided.

Web server secure practices: Web server logs should always be configured to another drive where they can be stored. This will enable the tracing of hacking attacks. In addition, error

multiple inheritances as it adds to code vulnerability. Making major variable declarations in public scope enables easy access, thereby compromising OOP abstraction.

Prevention of inheritance by key words like ‘Final’: In certain languages like C++ and Java, inheritance can be restricted using key words such as ‘Final’, thus disallowing users from inheriting class methods available in base class. This can be done when programmers do not want any further extensions and use defined class members.

messages (such as ‘page not found’) should be altered to prevent the user from getting details like Web server configuration and version path. Web server default passwords and paths should also be changed as per specific requirement.

Secure way of code deployment on Web: Web-based code deployment, being very unsecure, should be managed well. Handshakes should happen on key exchange mechanism and both client and server application should authenticate the connection between them.

Security for software deploymentSecure deployments, keys protection in code deployment: Generally, codes are deployed through popular deployment tools which compress the files and serially deploy them on the destination server. The deployment codes might be insecure, resulting in holes in the

applications. Preferably, deployments should be done serially and manual handling should be strictly avoided. Keys used for secure deployments should be dynamic, with a specified time period to avoid code misuse.

vales as per system usage. Normally for inter-process communications where semaphores are implemented, the variables used to control the semaphores should be initialized in advance

and then further modified as per system usage. As the semaphore controlling variable values are generally global in nature, it is important to determine entry and exit point values in advance.


Best security practices at the individual language levelEach programming language has its own features around which security practices are set.

C/C++

Even if declared implicitly, array bounds in C++ should be set explicitly, and should not be left open-ended. The structures should be defined dynamically as well. Also, loop arrays should not be allowed to iterate beyond the end of the array, so as to reduce buffer overflow attacks. In addition, conversions using void pointers should be avoided, while the automatic variables used need to be initialized before declaration.

Java

Sanitization of all data input irrespective of the source, substantially reduces risk of attacks such as code injections. It is also advisable to declare data variables of a class as private, thereby restricting access. Even in the case of nested classes, the methods accessing the private members of the outer class should be declared as private. Besides, exceptions should not be allowed to expose sensitive information. The outcomes of exceptions should be changed by proper exception handling, so that users get only valid exceptions. Use of the key word ‘Finally’ while handling the exception significantly reduces data vulnerability. Null pointers should not be de-referenced, as this can cause the null pointer exception. Error messages passed to the user through servlets should be appropriate and should not display any confidential data.

ASP.Net

When using the popular programming language ASP.Net, data input from all users should be thoroughly sanitized. Stored procedures should be used to filter malicious user inputs, thereby mitigating code injection attacks. Also, session hijacking attacks can be reduced by disparate transmission of authentication and session cookies and using only the HTTPS network for the same. Authentication credentials should also be passed only over HTTPS. Network eaves

dropping can be reduced by transmitting all information between client and browser over Secure Sockets Layer (SSL). Programmers should also ensure that client side options such as view state /hidden variables are not used to store sensitive data. Further, sensitive information must be stored on the server and not on the client side. Additionally, appropriate error messages should be displayed just like in Java.

PHP

In the server-side programming language, PHP, the majority of attacks can be reduced by sanitizing the input; functions like filter_input/filter_id can be used. While using MySQL, it would be preferred to change password frequently. Malicious scripts can be prevented from running on the browser by removing content like special characters before it is sent to the users. Attacks such as Remote File Inclusion/Local File Inclusion can be reduced by sanitizing the inputs, restricting dynamic inputs that come from the user and placing strict access controls for critical files. Again, error messages sent to the user must be generic and not disclose any information.

Shell scripts

When using shell scripts, a popular scripting language mainly based on the Unix platform, restricted access must be ensured, with read, write and execute permissions for individual scripts given according to users’ privilege. In fact, Unix is considered the most secure Operating System because of the security features offered though shell scripts.

Programmers should restrict privileges for specific command execution as well. For instance, those given permission to view the directory should not be allowed to make any changes. Additionally, the access controls for individual files and directories should be predetermined. Segregation of users based on privileges is very important too.

While writing and executing filters, steps to prevent data exposure should be taken care of in advance. During processing, programmers should exercise caution when exposing kernel calls and switches to end users. They should also ensure that fork calls are finite and controlled by defined system variables as they are highly sensitive to memory usage.

In addition, TCP/IP stack gets exposed to programmers directly through shell script and C programs and programmers should avoid display of unnecessary stack information to end users. There have been instances of companies preparing their own protocol to avoid content exposure through the TCP/IP stack.

Conclusion

Bibliography

Application coding security is not restricted to just drafting ways of coding. Rather, it calls for a comprehensive approach that encompasses methods of Web and database server configuration, ways of making calls on Web

1. Session Hijacking: Refers to the exploitation of the session, done mainly by theft of the session key used to authenticate a valid user and gain access to services.

2. Network Eavesdropping: Refers to the sniffing of the data packets transmitted along a network to gain access to sensitive information. This is done using sniffers.

3. Semaphores: Used in operating systems, for coordinating activities between multiple processes that compete for using the resources

servers and databases, techniques of handling properties files et al. Best security practices should be formulated keeping in mind language specific features and should be applied during configuration, coding and implementation.

of the operating system. Depending on the value of the semaphore the process will know whether to utilize the resource or to wait.

4. SQL Injection attack: SQL queries are drafted and inserted in Web forms maliciously to extract sensitive information from databases.

5. Array: Term referred to the use of a collection of variables belonging to a single type.

6. Pointers: A variable which is used to store the address of another variable.

Makarand Madhukar BajiSenior Consultant, Finacle Payments, Infosys

Sandhya RavikumarTechnology Analyst, Finacle E-Banking and Channel Support, Infosys


Finacle from Infosys partners with banks to transform process, product and customer experience, arming them with ‘accelerated innovation’ that is key to building tomorrow’s bank.

About Finacle

© 2012 Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document.

www.infosys.com/finacleFor more information, contact [email protected]

