Published Aug 31, 2021

Episode 475: Rey Bango on Secure Coding Veracode

Rey Bango, Veracode's Senior Director of Developer and Security Relations, delves into the essential integration of security within the software development lifecycle, emphasizing shift-left security, dependency management, and secure coding practices to protect open source projects amidst evolving challenges.
Episode Highlights
Software Engineering Radio - the podcast for professional software developers logo

Popular Clips

Episode Highlights

  • Input Validation

    emphasizes the critical role of input validation in secure coding. He explains that relying solely on front-end validation is insufficient, as it can be easily bypassed, and stresses the importance of server-side validation to ensure data integrity 1. Bango highlights the effectiveness of whitelisting acceptable inputs and using Object-Relational Mappings (ORMs) to validate data types throughout the processing chain 2.

    You want to make sure that somebody's not saying drop table. That'd be pretty bad.

    ---

    He also warns about the potential for cross-site scripting attacks if inputs are not properly sanitized and encoded 1.

       

    Logging

    Logging plays a pivotal role in secure coding, but it must be handled with care to avoid exposing sensitive information. advises against revealing diagnostic codes and system details in logs, as they can be exploited by malicious actors 3. He shares an example of a security breach where excessive logging led to vulnerabilities being discovered by attackers 4.

    I think it's important if you have an error, you handle it gracefully. And that exception log is clearly in the backend.

    ---

    Bango suggests using backend logging mechanisms and secure channels like Jira tickets for developers to access error information without compromising security 3.

       

    Secure Practices

    Secure coding practices are essential for minimizing vulnerabilities in software development. discusses the importance of proactive measures such as sanitizing inputs, securing APIs, and integrating third-party systems securely 5. He stresses the need for developers to think about security early in the development process and to continuously evaluate their security posture even after deployment 5.

    You have to sanitize inputs, you have to sanitize inputs.

    ---

    Bango also highlights the risks of relying on third-party code without proper vetting and suggests using private package managers to ensure code integrity 6.

Related Episodes