Tencent Code Security Guide is open source, involving six programming languages such as C/C++ and Go

The Tencent Code Security Guide aims to sort out the risk points at the API level and provide detailed and actionable coding guidelines. It is Tencent's code security reference materials for developers in the process of exploring the practice of DevSecOps security shift left.

This open source involves security guidelines for six programming languages: C/C++, JavaScript, Node, Go, Java, and Python.

project homepage:

https://github.com/Tencent/secguide

Project background

In recent years, both DevSecOps and Google SRE's reliability and security concepts have advocated "security requires the participation of every engineer". The concept of "safe shift to the left" involved was once again pushed to the forefront and gained attention.

In addition to the security team building a series of security mechanisms and tools, each developer can also participate personally-write secure code to eliminate vulnerabilities from the source.

Based on this, Tencent’s BG security teams and enthusiastic developers have sorted out the code security guidelines from a business perspective. It provides detailed reference materials and action outlines, organizes coding best security practices by function and language, and can be used as an authoritative reference for front-line developers, helping to develop black and white box vulnerability scanning tools and strategies.

Design Concept

The content of the code security guide is expanded in a tree structure, divided into 5 layers, as follows:

2.1 Language

Each language faces different types of security risks and needs to be detailed separately. For example, comparing go and javascript, go does not have the problem of prototype chain pollution. At the same time, since the company's code style specifications are also developed in different languages, the same language-divided approach to safety regulations can maintain overall continuity.

2.2 end

The terminal here refers to different terminals, such as: Web, Android client, iOS client, and PC client. In practice, the reasons for distinguishing content by end are as follows:

1. The same programming language is used in the development of different terminal applications, and the types and numbers of risks faced by it are very different.

For example:

When JavaScript is applied to front-end page development, the main risk faced is DOM XSS; but JavaScript can also rely on Node.js for web back-end interface development. If the coding is improper, there are risks such as command injection and SQL injection.

2. In large Internet companies, project development adopts "pipeline" operations, and the division of labor is often fine and clear, and different end scenarios are used as the main catalog, which is more convenient for developers to retrieve and quickly understand coding security knowledge.

2.3 Scene

By reviewing historical vulnerabilities, security risks can be roughly classified into two categories according to their causes:

1. Code vulnerability

Refers to the security risks caused by insecure API usage and logic writing during code writing.

2. Operation and maintenance vulnerability

Refers to issues related to system operation and maintenance such as the operating environment, configuration, and dependencies of the code. Such as Tencent share of Blues " packet analysis software supply chain attack squatting low-cost fishing " article, on the nature of the security risk involved is :

Some languages rely on package management. When some corporate private software packages are only registered in the company's internal software sources, attackers can preemptively register on external public software sources.

If employees in the company use package management software to pull them, and the company's mirror source is not configured, they will pull malicious packages pre-registered by the attacker.

2.4 Function

In the process of reviewing the vulnerabilities found internally and externally, we found that security risks are highly related to business scenarios, such as:

Because the target audience of the code safety guide is for developers. In the process of writing the guide, we tried to convert the vulnerabilities into functional scenarios as the main catalog.

As it is associated with specific business scenarios, it is easier to remember related precautions during development, thereby reducing the cost of cognition and learning.

2.5 Content

The core content of the guide focuses on the API/sink points of the programming language and framework. For developers, API is the high-frequency contact object when implementing business logic.

In general, security vulnerabilities can often be attributed to incorrect use of APIs. For security engineers, sink points are a very important part of writing security policies and components, which directly determine the scanning capabilities of the security system.

When writing code security guidelines, adopted the following methods to improve the completeness of the content:

1. Aggregate best security practices in various languages, components, and framework documents;

2. Fully investigate existing specifications such as CWE, OWASP, etc., and adopt a more convenient arrangement and explanation method for developers to remember;

3. The coding model is based on a wealth of known vulnerabilities inside and outside the company, constantly supplementing risk avoidance suggestions that have not been considered before;

4. Draw inferences from one another, combine various development documents and the reasons for the vulnerabilities extracted, and unearth the risk points that are rarely mentioned and add them to the specification.

Original link: Tencent Code Security Guide is open source, involving six programming languages such as C/C++ and Go