Follow secure coding practices in Enterprise 11

Bot developers should ensure their code follows standard secure coding practices, including Bot Logic and C# code written for DLLs.

The following list of security checks are generally applicable and relevant for bot creation.

These checks correspond to specific software vulnerabilities identified by the Open Web Application Security Project (OWASP), a not-for-profit organization focused on improving the security of software. Each of the following OWASP issues correspond to specific items included in the Common Weakness Enumeration (CWE), a list of software security vulnerabilities which can occur in software development as provided by MITRE, a nonprofit research and development group.

Developers must consider additional secure coding practices in accordance with the internal security policies of their environments.

OWASP issue Description Corresponding CWEs
A1: Injection Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when an attacker can send hostile data to an interpreter.
  • CWE-78: Improper Neutralization of Special Elements Used in an OS Command (OS Command Injection)
  • CWE-89: SQL Injection
  • CWE-94: Code Injection
  • CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-494: Download of Code Without Integrity Check
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere

A2: Broken Authentication Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.
  • CWE-306: Missing Authentication for Critical Function
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-798: Use of Hard-coded Credentials
  • CWE-807: Reliance on Untrusted Inputs in a Security Decision
  • CWE-862: Missing Authorization
  • CWE-863: Incorrect Authorization
A3: Sensitive Data Exposure Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, when in transit, or from the user's client, such as a browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-319: Clear text Transmission of Sensitive Information
A5: Broken Access Control Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks.
  • CWE-73: External Control of File Name or Path
  • CWE-285: Improper Authorization
A6: Security Misconfiguration Attackers often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, and so on, to gain unauthorized access or knowledge of the system.
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-676: Use of Potentially Dangerous Function
  • CWE-732: Incorrect Permission Assignment for Critical Resource
A9: Using Components with Known Vulnerabilities Although it is easy to find already-written exploits for many known vulnerabilities, other vulnerabilities require a concentrated effort to develop a custom exploit.
  • CWE-190: Integer Overflow or Wraparound
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-759: Use of a One-way Hash Without a Salt