My (past) thinking on writing secure code.
This is my current (As of 12:36pm AEST on May 14th, 2016) thinking on “writing secure code”.
- I don’t know how; I don’t think that’s definitively possible.
- I ask people to attack my stuff, and I fix what they find.
How do you know you’re writing secure code? The simplest answer is “Well, I have written my code in a careful way that prevents anyone from exploiting it”. I think that’s a flawed notion, as it relies on the assumption that you understand the code you’re writing.
Let me take a break here and reassure you that I don’t think you (or indeed me) are shitty developers. One can never consider oneself a poor developer, as we always (hopefully) build things to the best of our abilities. However, everyone does that, all the time. So how do vulnerabilities exist?
Because we don’t understand what we’re doing. It’s just about impossible to consider the ramifications of everything we’re doing — I’m a PHP developer (primarily), which means I have consider the user-land PHP, the interpreter, the interpreter version, the C the interpreter is written in, the libraries the interpreter was built against (presuming they’re statically linked) and the kernel that the interpreter is sitting.
I don’t even understand entirely what I just said. I’ve also left out everything client side; I could have written lovely PHP, and shitty client side HTML, or an API with some sort of auth use case that I didn't imagine existed. Therefore, I don’t know if I've written secure code. So, how do I find out?
I ask people to attack it. Challenge assumptions, and do things I never imagined with it. (Pro-tip: I still don’t know if it’s any good then, even if people have been unable to find issue with it — But at least I know those people can or can’t find issue with it.)
If I'm wrong, and there’s a lovely way to determine a “secure code” status, let me know. I’d love to know it!
- I know there are tools that help with this. I use quite a few quite a lot, but if you know some, please comment them and I’ll add them to my build pipeline.
- I wrote this up at a feverish rate following a boxing session. If you find flaws in it, point them out, and I’ll both thank you publicly and amend the doc.