AWS Government, Education, & Nonprofits Blog

Episode 3: Building Secure Code

(Part 3 of 5)

Created in conjunction with a five-part Twitch mini series (March 28 – April 25), these weekly blog posts provide resources and guidance to support the 60-minute live videos. To sign up and learn more about the series, click here.

A post by Yuriko Horvath, Sr. Solutions Architect, Amazon Web Services

Writing code and deploying an application can expose you to security vulnerabilities. This means your security woes don’t end after architecting. This post reviews common application security vulnerabilities, as well as how to build, test, and deploy code to catch vulnerabilities early.

There are many published lists describing common vulnerabilities and exposures to avoid in an application’s code and dependencies, along with best practices for protecting application secrets. Chances are good that bad actors are also familiar with these lists. Take a look below to familiarize yourself with the right resources:

When writing your application code, it’s best to consider your upfront setup so that you can prevent exposure and coordinate ongoing testing for security vulnerabilities.

Upfront Application Code Setup

In your setup, standardize a coding framework, source a control repository, and identify patterns for your code as it interacts with your infrastructure. Also, note any external integrations and configuration management requirements. Consider the following when setting up your application’s code:

  • Use an application framework or library that is already protected against OWASP’s listed vulnerabilities. This could include cross-site scripting (XSS), SQL injection, or cross-site request forgery (CSRF).
  • Use a source code helper like git-secrets to prevent a developer from accidentally saving your AWS API keys into your source code, which could potentially become publicly available.
  • Use IAM roles or temporary credentials through Amazon Cognito to make AWS API calls, instead of using AWS access keys and IDs in your code.
  • Use AWS Secrets Manager and AWS Systems Manager Parameter Store to store all passwords, API keys, and other necessary configured secrets.

Ongoing Security Testing

If you are using an application framework, it may have built-in protections against some of OWASP’s listed security issues. While application frameworks prevent a subset of security issues, every newly released feature or bug fix can introduce new security vulnerabilities. There are multiple ways to test your application on an ongoing basis to find newly introduced security vulnerabilities:

Enhancing your application with security-minded coding standards and automated security testing can help protect your application from many well-known security exploits – before they surface.

Our next post in our five-part series, “Episode 4: Code is Not Static: App Care,” will discuss bug fixes and updates, and how to make sure iterations of your app are updated securely.