SonarSource Blog » For secure code, maintainability matters
Author Robert Collier said that “Success is the sum of small efforts repeated day in and day out.” That’s especially true when it comes to security. By now we all understand that securing your systems isn’t as simple as installing a firewall and calling it a day. Instead, it’s multiple actions and strategies in concert, implemented consistently over time. And believe it or not, one small but important strategy is simply writing code that’s reliable (bug-free) and maintainable (easy to understand). Yes, I know that sounds too simple, and possibly even self-serving. So in this post I’ll lay out some of the evidence for how writing reliable and maintainable code means you’re inherently writing more secure code.
In fact by one count, about 60% of CWEs aren’t vulnerabilities at all. CWE-699 is the Software Development view. It “organizes weaknesses around concepts that are frequently used or encountered in software development”. It contains 40 sub-categories, including Complexity Issues, Numeric Errors and Bad Coding Practices. Of the 59 leaf listings under Bad Coding Practices, the first is the beautifully emblematic CWE-478, Missing Default Case in Switch Statement.
This is not a rule most people see as important for Code Security. At SonarSource, we don’t even class it as a Bug, but as a Code Smell / Maintainability problem. But its inclusion in the CWE says that experts in the field see it as important for security. Because the small consistent efforts like providing
defaultclauses help you write “code that is obviously right”.