Secure Programming Practices
The intent of the Secure Programming Practices Knowledge Unit is to provide students with an understanding of the characteristics of secure programs and the ability to implement programs that are free from vulnerabilities.
Topics
- Programming Flaws
- Interpretation and realization of Security Requirements
- Principles of Secure Programming
- Defensive Programming
- Secure Programming paradigms
- Catch and handle exceptions at the lowest level possible
- Static Analysis
- Defensive Programming
a. Input Validation, Type checking
b. Cover all cases - use defaults to handle cases not explicitly covered
c. Catch and handle exceptions at the lowest level possible
d. Avoidance of risky coding constructs
e. Avoid information leakage through error messages
f. Apply security practices to classes
i. Don’t allow external interfaces data changes by reference
ii. Use context to determine data access
iii. Support data updates verification
iv. Authenticate
Outcomes
- Produce software components that satisfy their functional requirements without introducing vulnerabilities
- Describe the characteristics of secure programming.
- Understand the vulnerabilities inherent in different programming languages.
- Examine vulnerabilities introduced through the use of libraries and how to mitigate those vulnerabilities.
- Describe the characteristics of secure programming
- Examine vulnerabilities introduced through the use of libraries and how to mitigate those
KSA-T
Below are the Knowledge, Skills, Abilities and Tasks (KSA-T) identified as being required to perform this work role.
Learn More about the KAS-T's.
ID |
DESCRIPTION |
K0140 |
Knowledge of secure coding techniques. |
K0139 |
Knowledge of interpreted and compiled computer languages. |
K0229 |
Knowledge of applications that can log errors, exceptions, and application faults and logging. |
K0254 |
Knowledge of binary analysis. |
K0028 |
Knowledge of organization's evaluation and validation requirements. |
ID |
DESCRIPTION |
S0148 |
Skill in designing the integration of technology processes and solutions, including legacy systems and modern programming languages. |
S0172 |
Skill in applying secure coding techniques. |
S0088 |
Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump). |
S0019 |
Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams. |
S0149 |
Skill in developing applications that can log and handle errors, exceptions, and application faults and logging. |
ID |
DESCRIPTION |
A0036 |
Ability to identify basic common coding flaws at a high level. |