Episode 3: Building Secure Code

(Part 3 of 5)

Created in conjunction with a five-part Twitch mini series (March 28 – April 25), these weekly blog posts provide resources and guidance to support the 60-minute live videos. To sign up and learn more about the series, click here.

A post by Yuriko Horvath, Sr. Solutions Architect, Amazon Web Services

Writing code and deploying an application can expose you to security vulnerabilities. This means your security woes don’t end after architecting. This post reviews common application security vulnerabilities, as well as how to build, test, and deploy code to catch vulnerabilities early.

There are many published lists describing common vulnerabilities and exposures to avoid in an application’s code and dependencies, along with best practices for protecting application secrets. Chances are good that bad actors are also familiar with these lists. Take a look below to familiarize yourself with the right resources:

• The Open Web Application Security Project (OWASP) publishes a list of vulnerabilities for web applications, including its top 10 critical security risks.
• MITRE manages the Common Vulnerabilities and Exposures (CVE) list of published security and information vulnerabilities in software packages.
• AWS discusses risks of storing passwords, API keys, and other secrets in your application.
• AWS access keys enable you to manage your AWS infrastructure. AWS discusses best practices and anti-patterns for access keys and secret keys.

When writing your application code, it’s best to consider your upfront setup so that you can prevent exposure and coordinate ongoing testing for security vulnerabilities.

Upfront Application Code Setup

In your setup, standardize a coding framework, source a control repository, and identify patterns for your code as it interacts with your infrastructure. Also, note any external integrations and configuration management requirements. Consider the following when setting up your application’s code:

• Use an application framework or library that is already protected against OWASP’s listed vulnerabilities. This could include cross-site scripting (XSS), SQL injection, or cross-site request forgery (CSRF).
• Use a source code helper like git-secrets to prevent a developer from accidentally saving your AWS API keys into your source code, which could potentially become publicly available.
• Use IAM roles or temporary credentials through Amazon Cognito to make AWS API calls, instead of using AWS access keys and IDs in your code.
• Use AWS Secrets Manager and AWS Systems Manager Parameter Store to store all passwords, API keys, and other necessary configured secrets.

Ongoing Security Testing

If you are using an application framework, it may have built-in protections against some of OWASP’s listed security issues. While application frameworks prevent a subset of security issues, every newly released feature or bug fix can introduce new security vulnerabilities. There are multiple ways to test your application on an ongoing basis to find newly introduced security vulnerabilities:

• Automate static application security testing and software composition analysis into your CI/CD pipeline to inspect your code for security vulnerabilities.
• Periodically run dynamic application security testing, either through a tool or a security auditor for penetration and vulnerability testing. When performing penetration testing on AWS, confirm what type of testing is allowed and what requires prior notification on your account.
• Use Amazon Inspector or AWS Marketplace partner vulnerability assessment solutions to inspect your back-end servers that host your application, (as mentioned in Episode 2: Securing Your Apps Infrastructure).

Enhancing your application with security-minded coding standards and automated security testing can help protect your application from many well-known security exploits – before they surface.

Our next post in our five-part series, “Episode 4: Code is Not Static: App Care,” will discuss bug fixes and updates, and how to make sure iterations of your app are updated securely.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.