Tencent Code Security Guide aims to sort out the risk points at the API level and provide detailed and operable coding guidelines. It is Tencent’s code security reference materials for developers in the process of carrying out DevSecops security left-shift practice and exploration.
This open source related to C/C++, JavaScript, Node, Go, Java, Python six programming languages security guide.
Project homepage:
https://github.com/Tencent/se…
Project background
In recent years, both DevSecops and the Google SRE concept of reliability and security have advocated that “security requires the participation of every engineer”. The concept of “safe left shift” involved in it has also been pushed to the foreground again and gained attention.
In addition to the security team building a set of security mechanisms and tools, every developer can participate in the process by writing secure code and eliminating bugs at source.
Based on this, Tencent BG security teams and enthusiastic developers have sorted out code security guidelines from a business perspective. It provides detailed reference material and action outline, collates coding best security practices by function and language, and can be used as an authoritative reference for front-line developers to help develop black and white box vulnerability scanning tools and strategies.
Design concept
The content of the Code Security Guide is spread out in a tree structure, consisting of five layers, as follows:
2.1 language
Each language faces different kinds of security risks, which need to be detailed separately. For example, Go does not have the problem of prototype chain contamination when compared to JavaScript. At the same time, since the code style specification within the company is also divided into languages, the security specification adopts the same way to maintain the overall coherence.
2.2 end
The end here refers to different terminals, such as: Web, Android client, iOS client, PC client. In practice, the reasons for the content to be distinguished by end are as follows:
1, the same programming language, used in different terminal application development, the type and amount of risks faced by the world is very different.
Such as:
When JavaScript is applied to front-end page development, the main risk is DOM XSS; However, JavaScript can also rely on Node.js to develop Web backend interface, and if the coding is not appropriate, there will be risks such as command injection and SQL injection.
2. In large Internet companies, project development adopts “assembly line” operation, and the division of labor is often precise and clear. Scenes at different ends are taken as the backbone directory, which is more convenient for developers to search and quickly understand coding security knowledge.
2.3 scenario
By reviewing historical vulnerabilities, security risks can be roughly classified into two categories according to their causes:
1. Code bugs
Refers to the security risks associated with insecure API use and logic writing during code writing.
2. Operation and maintenance loopholes
Refers to the code running environment, configuration, dependencies and other system operations related issues. Such as Tencent Blue Jun to share the article “A Brief Analysis of the Software Supply Chain Attack Package Seizing Low-cost Phishing”, the security risks involved are essentially:
Some languages rely on package management. When some enterprise private software packages are only registered with the internal software source, attackers can register on the external public software source.
If the employee in the company uses the package management software to pull, and the company image source is not configured, the malicious package that the attacker captures will be pulled.
2.4 features
In the process of reviewing internal and external vulnerabilities, we found that security risks are highly correlated with business scenarios, such as:
Because the target audience for the code security guide is developers. In the process of writing the guide, we tried to turn bugs into feature scenarios that would serve as the backbone.
Because it is associated with specific business scenarios, relevant considerations can be more easily remembered during development, thus reducing the cost of cognition and learning.
2.5 the content
The core content of the guide is centered around the programming language and the framework’s API/ Sink point. For developers, APIs are high-frequency contact objects when implementing business logic.
More often than not, security vulnerabilities can be attributed to the wrong use of the API. For security engineers, the sink point is a very important part of writing security policies and components, which directly determines the scanning ability of the security system.
When writing code security guidelines, the following approaches were taken to improve the content:
1. Consolidate best security practices from language, component, and framework documents;
2. Fully investigate existing specifications such as CWE and OWASP, and adopt arrangement and elaboration methods that are more convenient for developers to remember;
3. The coding mode is based on a wealth of known vulnerability cases inside and outside the company, and constantly supplements the previously unconsidered risk avoidance suggestions;
4. By drawing inferences from one example, combined with the causes of vulnerabilities in various development documents and abstraction, the risk points rarely mentioned are dug and added into the specification.
Tencent code security guide open source, involving C/C++, Go and other six programming languages