Why Software Security Is a Skill All Programmers Should Have

As a programmer or developer, the importance of creating secure applications cannot be overstated.

Software security deals with the management of malicious attacks by identifying potential vulnerabilities in software and taking the necessary precautions to guard against them.

Software can never be 100% secure because a developer can overlook a bug, create new bugs in an attempt to fix existing cases, or create new vulnerabilities through updates.

However, there’re two key practices that all software developers can employ to ensure that they create secure software—writing secure code in the first place, and efficiently testing your code.

How to Write Secure Code

Writing secure code comes down to one thing—error handling. If you can anticipate every potential value that a user might feed your application and create a response in your program for that value, then you’re writing secure code.

This is much simpler than you might think because all good developers know almost everything about the applications they develop. Therefore, you should know every value that your application requires to carry out a task (the approved values) and understand that every other possible value in existence is an unapproved value.

Writing Secure Code

Let’s say you want to create a program that only accepts two integer values from a user and performs an addition operation on them. With that single sentence, like a good developer, you now know everything about your application. You know all the values that this program will accept (integer values) and you know the task that this program will complete (an addition operation).

Creating the Program In Java Example


import java.util.Scanner;
public class Main {
//The main function that executes the program and collects the two values
public static void main(String[] args) {
System.out.println("Please enter your two integer values: ");
int value1;
int value2;
Scanner input = new Scanner(System.in);
value1 = input.nextInt();
value2 = input.nextInt();
addition(value1, value2);
input.close();
}
//the function that collects the two values and displays their sum
private static void addition(int value1, int value2) {
int sum;
sum = value1 + value2;
System.out.println("The sum of the two integer values you entered: "+ sum);
}
}

The code above produces an application that matches the requirements precisely. On execution, it will produce the following line in the console:


Please enter your two integer values:

The application will then remain paused until the user enters two integer values in the console (that means typing the first value, hitting the enter key, and repeating).

If the user enters the values 5 and 4 in the console, the program will produce the following output:


The sum of the two integer values you entered: 9

This is great; the program does exactly what it should do. However, if a nefarious user comes along and enters a non-integer value, such as “g”, into your application there’ll be problems. This is because no code in the application protects against unapproved values.

At this point your application will crash, creating a potential gateway into your application for the hacker that knows exactly what to do next.

Securing Your Program Example


import java.util.InputMismatchException;
import java.util.Scanner;
public class Main {
//The main function that executes the program and collects the two values
public static void main(String[] args) {
try {
System.out.println("Please enter your two integer values: ");
int value1;
int value2;
//using the scanner class to read each input from the user,
//and assign it to is respective variable (throws an exception if the values are not integers)
Scanner input = new Scanner(System.in);
value1 = input.nextInt();
value2 = input.nextInt();
//calls the addition function and passes the two values to it
addition(value1, value2);
//closes the input stream after it has come to the end of its use
input.close();
//handle all the errors thrown in the try block
}catch(InputMismatchException e){
System.out.println("Please enter a valid integer value.");
}catch(Exception e) {
System.out.println(e.getMessage());
}
}
//the function that collects the two values and displays their sum
private static void addition(int value1, int value2) {
int sum;
sum = value1 + value2;
System.out.println("The sum of the two integer values you entered: "+ sum);
}
}

The code above is secure because it performs exception handling. Therefore, if you enter a non-integer value the program will terminate correctly while producing the following line of code:


Please enter a valid integer value.

What Is Exception Handling?

Essentially, exception handling is the modern version of error handling, where you separate error handling code from normal processing code. In the example above, all the normal processing code (or code that can potentially throw an exception) is within a try block, and all the error handling code is within catch blocks.

If you take a closer look at the example above, you will find that there’re two catch blocks. The first one takes an InputMismatchException argument; this is the name of the exception that’s thrown if a non-integer value is entered. The second one takes an Exception argument, and this is important because its purpose is to catch any exception within the code that the developer didn’t find during testing.

Testing Your Code

You should never underestimate the power of testing and retesting your code before packaging. Many developers (and users of their applications) find new bugs after the software is available to the public.

Thoroughly testing your code will ensure that you know what your application will do under every conceivable scenario, and that enables you to protect your application from data breaches.

Consider the example above. What if, after completion, you only test the application with integer values? You might walk away from the application thinking you successfully identified all potential errors when that isn’t the case.

The fact is that you may not be able to identify all potential errors; this is why error handling works hand in hand with testing your code. The testing of the program above shows one potential error will occur in a specific scenario.

However, if some other error that didn’t appear during testing exists, the second catch block in the code above will handle it.

Securing Your Database

If your application connects to a database, the best way to prevent access to that database is to ensure that all aspects of your application are secure. However, what if your application is designed with the sole purpose of providing an interface to said database?

This is where things get a little more interesting. In its most basic form, a database allows a user to add, retrieve, update, and delete data. A database management system is an application that allows a user to interact directly with a database.

Most databases contain sensitive data, therefore, to maintain the integrity of and limit access to this data there is one requirement—access control.

Access Control

Access control seeks to maintain the integrity of a database by defining the type of people that can access a database and restricting the type of access they have. Therefore, a good database management system should be able to log who access the database, at what time, and what they did.

It should also be able to prevent a registered user from accessing or editing data that they are not authorized to interact with.

Software Security Is a Crucial Skill For All Developers

Developing good software is synonymous with ensuring that your software can withstand any malicious attack. This is only achievable through the writing of secure code, the continual testing of an application, and maintaining control of who has access to your data.

Now that you know how to secure your software, you might want to learn about some software development steps.