ONAP has long agreed that its projects should follow the principles of Secure Design, which is one of the CII Badging requirements. The primary reference given by CII for Secure Design is Saltzer & Schroeder.
The following documents are recommended reading on the topic of Secure Programming Practices. (A web search on "secure programming practices" will also produce many articles on the topic.)
As you read these, you'll find a number of common themes.
The SAFECode document lays things out very nicely into separate practices for Design, Coding, and Testing & Validation. Under Design, they discuss: Secure Design Principles, Threat modeling, Encryption Strategy, Standardize Identity and Access, and Establish Log and Audit Practices. Under Coding, they discuss: Coding Standards, Using safe functions only, Using code analysis tools, Handling data safely, and Error Handling. And under Testing, they discuss both Automated and Manual Testing.
The other documents are oriented specifically to coding. For example, OWASP has some good checklists in these categories:
OWASP Coding Practice Checklists | ||
---|---|---|
Input Validation | Error Handling and Logging | Cryptographic Practices |
Output Encoding | Data Protection | Memory Management |
Authentication and Password Management | Communication Security | File Management |
Session Management | System Configuration | General Coding Practices |
Access Control | Database Security |
The SECCOM was recently asked to make specific recommendations about how to safely invoke external programs from a language such as Python. The following examples use shell and python for exposition, but the issue exists in all languages that provide mechanisms to execute sub-processes, including Java, C and C++.
/bin/ls -l file
subprocess.Popen(["/bin/ls", "-l", "file"],
...)
export PATH=/bin:/usr/bin
or
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
os.environ['PATH'] = '/bin:/usr/bin'
or
os.environ['PATH'] = '/sbin:/usr/sbin:/bin:/usr/bin'
.
") and relative directories (those not starting with a "/
") are not at the beginning or middle of the PATH.::
") and ":
./:
" are equivalent to including ".
". That is, "::
", ":.:
", and ":./:
" are all equivalent.:
" is equivalent to a leading ".:
".export PATH="/bin:/usr/bin:$(sanitize "$PATH")"
os.environ['PATH'] = f"/bin:/usr/bin:{sanitize(os.environ['PATH'])}"
::
, :.:
, :./:
, :./.:
, etc.)./tmp
in it, where someone could have placed a script named "ls
".)shell=True
" with the subprocess module's methods, which can allow unexpected parsing or expansion of the values being passed. For shell, ALWAYS use quote (") marks around your variable expansions; otherwise whitespace within the values may wind up generating separate arguments.shell:
cd somewhere || { echo "Cannot cd somewhere: $!" 1>&2; exit 99; }
try:
os.chdir(somewhere)
except Exception as e:
sys.exit(f"Cannot chdir({somewhere}): {e}")
apt install -y shellcheck
"the use of code quality tool help the developer to fix vulnerabilities early.
Inside the community, sonarcloud is the reference.
Checking results and fixing them regularly are one way to reduce risk
Like Code quality evaluation, software composition analysis helps the community reduce its risk.
https://snyk.io/blog/what-is-software-composition-analysis-sca-and-does-my-company-need-it/
Software Composition Analysis (SCA) is an application security methodology for managing open source components. Using SCA, development teams can quickly track and analyze any open-source component brought into a project. SCA tools can discover all related components, their supporting libraries, and their direct and indirect dependencies. SCA tools can also detect software licenses, deprecated dependencies, as well as vulnerabilities and potential exploits. The scanning process generates a bill of materials (BOM), providing a complete inventory of a project’s software assets.
The community uses whitesource and Nexus-IQ.
>>More information Code Scanning Tools and CI
To build ONAP images, the community provides secure docker images, which are built from Alpine images.
These images reduce the risk of threats; please use them.