GUILLERMO, Roland Dave P.

CIT 310 - IT33S1

Research Questions

Select 3 questions provide examples and images to support your research

1. Effectiveness of Secure Coding Practices in Preventing Common

Vulnerabilities
○ Question: How effective are different secure coding practices in
preventing common software vulnerabilities such as SQL injection,
cross-site scripting (XSS), and buffer overflow attacks?
○ Objective: To evaluate and compare the effectiveness of various
secure coding practices in mitigating specific types of
vulnerabilities.

Answer: Secure coding practices play a crucial role in preventing common software
vulnerabilities. Some key practices include:

- Input Validation: Verify and cleanse user inputs to protect against injection
attacks like SQL injection.
- Output Encoding: Encode output data properly to avoid cross-site scripting
(XSS) vulnerabilities.
- Authentication and Password Management: Use robust authentication
methods and securely manage passwords.
- Session Management: Securely manage user sessions to prevent unauthorized
access.
- Access Control: Implement appropriate access controls to restrict user
privileges.
- Cryptographic Practices: Apply encryption and hashing correctly.
- Error Handling and Logging: Handle errors appropriately and log
security-related events.
- Data Protection: Protect sensitive information.
- Communication Security: Ensure secure channels for communication.
- System Configuration: Configure servers and services securely.
- Database Security: Secure databases against unauthorized access.
- File Management: Manage files securely.
- Memory Management: Prevent buffer overflow vulnerabilities by managing
memory safely.

2. Cost-Benefit Analysis of Secure Coding Practices

○ Question: What is the cost-benefit analysis of implementing
secure coding practices in terms of development time, cost, and
potential reduction in security incidents?
○ Objective: To evaluate the economic implications of secure coding
practices and their long-term benefits in reducing security breaches
and associated costs.
Answer:

Costs

○ Development Time: It can take a while to train developers in secure

coding techniques, which takes time away from real development work.
Writing secure code usually requires more time, especially for
inexperienced developers. More time is required for comprehensive
security testing and code reviews that include both static and dynamic
analysis techniques.
○ Financial Cost: There are a number of expensive outlays associated with
implementing secure coding techniques. Training courses or certificates to
guarantee engineers know secure coding practices are major costs.
Additionally, licenses for secure coding tools like dynamic testing and
static code analyzers may need to be purchased by businesses. In order
to ensure adherence to best practices and maintain software security,
hiring security specialists or consultants to oversee and audit the
development process can also be rather expensive.

Benefits

○ Reduction in Security Incidents: By reducing vulnerabilities, secure

coding techniques significantly increase software security and reduce
 security incidents. By lowering the likelihood that attackers would exploit
these vulnerabilities, breaches and data loss are avoided. Businesses that
put these strategies into practice improve their reputation and strengthen
their security posture. Customers, partners, and stakeholders are more
likely to trust these businesses, which feeds a positive feedback loop of
dependability and assurance.
○ Financial Savings: By using secure coding techniques, businesses can
steer clear of the high costs associated with data breaches, such as
penalties, legal bills, and cleanup expenditures. When compared to
post-deployment changes, addressing security issues during development
can result in significant maintenance cost savings. Strong security
protocols may also result in cheaper cybersecurity insurance rates for
businesses, which would save money overall.
○ Compliance and Legal Benefits: By using secure coding techniques,
businesses can stay out of legal hot water by adhering to several
standards and requirements. By proving that they took reasonable
precautions to secure their software, they can also lower their legal
liability, lessen the chance of negative legal outcomes, and improve their
legal position.

3. Influence of Open Source Libraries on Software Security

○ Question: How do dependencies on open source libraries affect
the security of software applications, and what secure coding
practices can mitigate associated risks?
○ Objective: To analyze the security risks posed by using open
source libraries and identify best practices for securely managing
these dependencies.
ANSWER:
The security of software applications can be greatly impacted by dependencies on
open-source libraries because of potential flaws that hackers could exploit. Due to their
public accessibility, these libraries are frequently more vulnerable to attacks, and word
of their weaknesses spreads quickly. In order to reduce these risks, developers ought to
implement safe coding methodologies. This entails implementing stringent access
control and input validation, updating dependencies to the most recent versions on a
regular basis, and using tools like Snyk or Dependabot for vulnerability scanning and
management. In order to guarantee prompt remediation of any vulnerabilities found,
developers should also follow best practices in code review, keep an up-to-date
inventory of all third-party libraries, and keep an eye out for any security advisories or
patches linked to these dependencies.

Important factors for evaluating the security risks of open-source software are shown in
the accompanying image. These factors include Overall Code Quality and Review,
which stresses the thoroughness of the code review process and the quality of the
code, Community Support, which assesses the robustness and responsiveness of the
community supporting the open-source project, and Vulnerability Management, which
entails identifying, prioritizing, and mitigating known vulnerabilities. The image also
emphasizes the value of Tips for Assessing Security Risks, which offer helpful advice
and best practices for assessing and managing potential security threats in open-source
software, and Case Studies, which provide actual examples of the software's
implementation and security performance. When deciding how to integrate open-source
components into software systems, these combined considerations help to ensure that
judgements are well-informed regarding security issues.

REFERENCES:
Effectiveness of Secure Coding Practices in Preventing Common Vulnerabilities:
https://www.linkedin.com/pulse/secure-coding-practices-manisha-bhandari-vzntc
https://www.appsecengineer.com/blog/the-impact-and-importance-of-secure-codi
ng-training#:~:text=Reducing%20the%20risk%20of%20security,are%20often%20e
xploited%20by%20attackers.
https://www.linkedin.com/pulse/secure-coding-standards-vulnerability-manageme
nt-garima-singh-lcurf
https://cqr.company/web-vulnerabilities/lack-of-secure-coding-practices/
https://www.checkpoint.com/cyber-hub/cloud-security/what-is-secure-coding/sec
ure-coding-practices-for-developers/

Cost-Benefit Analysis of Secure Coding Practices

https://www.goldskysecurity.com/security-by-design-the-advantages-of-secure-co
ding-best-practices/
https://www.researchgate.net/publication/355377840_Cost_Benefit_Analysis_of_I
ncorporating_Security_and_Evaluation_of_Its_Effects_on_Various_Phases_of_A
gile_Software_Development
https://infonomics-society.org/wp-content/uploads/A-Cost-benefit-Analysis-of-Inf
ormation-Security-Mitigation-Methods-for-ORVIs.pdf
https://www.hackthebox.com/blog/secure-coding-practices-developers-guide-to-a
pp-security

Influence of Open Source Libraries on Software Security

https://www.researchgate.net/publication/220356474_On_the_Security_of_Open_
Source_Software
https://blog.gitguardian.com/open-source-software-security/
https://moldstud.com/articles/p-the-impact-of-open-source-software-on-software-
security-engineering
https://newrelic.com/blog/how-to-relic/mitigate-open-source-library-security-risks
https://qualityclouds.com/open-source-libraries-and-security-vulnerabilities/