Development
The development phase of software projects poses several security risks. This section highlights some of these risks and how to remediate them.
Dependencies
Software projects can use lots of external dependencies, which can contain vulnerabilities. Online databases that contain these vulnerabilities can be used to find these malicious versions. Automatic tooling exist that can cross-reference your dependencies with these databases.
Note that, external dependencies do not always only consist of software libraries but can also be a Docker-image that is used within a project. Automatic tooling is available for these images as well.
If an application has a dependency with a CVSS-score larger than 9.0, it cannot be deployed to a staging or production environment. If the application was already deployed, and a vulnerability with this score was deployed afterwards, it should be fixed as soon as possible.
Validation
Applications should never solely rely on client-side validation. All inputs that require validation, should be validated on the server. Client-side validation can be used complementary to server-side validation to improve user-experience (UX).
Tooling
The following type of tools are used within Recognize which helps us create secure applications for our customers. It is required to use the mandatory tooling, whereas the utilities can be used to check whether your application adheres to the security policy.
SAST
Static Application Security Testing (SAST) is used to test application code or binaries for known security flaws. This tooling can be added to version control systems, which will add functionality to, for example pull requests, that checks changed code for security vulnerabilities.
For SAST, the Github Code Scanning features must be used. By default, the Advanced Security standard tooling should be applied. When this is not possible in the used tech stack, an alternative in the Code Scanning set can be used. Consult the following table for the correct code scanning tool:
| Language | Code Scanning Tool |
|---|---|
| C# | CodeQL |
| PHP | Psalm Security |
| Kotlin | CodeQL |
| Java | CodeQL |
| JavaScript | CodeQL |
For projects currently undergoing active development (defined as having had a commit within the last 14 days), it is recommended that code scanning be conducted on the source code a minimum of once per day. For projects that are not actively being developed, performing code scanning once per month is sufficient. It is not obligatory to execute code scanning for every commit, pull request, or merge event.
Dependency Check
As stated in the section on dependencies, tooling is available that can scan external dependencies for vulnerabilities. Some package managers like NPM, Yarn or Docker allow have built-in tooling available that can be used to scan these packages.
For repositories stored in the GitHub-organisation of Recognize, Dependabot is used. Dependabot is a tool that can analyse all dependencies within a repository, and alert developers when (severe) security alerts occur. Dependabot can be enabled from within the repository. Although recommended, it is not required to use Dependabot for the NPM-ecosystem, as it will result in a lot of false positives and noise. In this case however, it is required to use an alternative tool that will ensure awareness of vulnerabilities within a project. One of the options is offered by GitHub, which is an action that disallows the introduction of vulnerabilities into a project.
Utilities
SSLLabs
The site ssllabs.com can be used to test your website's SSL settings. Use 'Test your server' and fill out the domain name. Note that you check 'Do not show the results on the boards'.
Securityheaders.io
Webservers can send several security headers back to the client. securityheaders.io can assist by checking whether the required headers are exposed. Again, ensure that 'Hide results' is checked.
Recognize Internal Security Assistant (R.I.S.A.)
The Recognize Internal Security Assistant is a GitHub Action that can be attached to your CI-workflow. The action can be provided with an URL and will generate a report which is attached to the commit. More information can be found at:
https://github.com/recognizegroup/recognize-internal-security-assistant-action
on:
push:
branches: [ develop ]
jobs:
security-report:
runs-on: ubuntu-latest
steps:
- uses: recognizegroup/recognize-internal-security-assistant-action@v2
with:
urls: https://recognize.nl
token: $