I²R Techs & Solutions
Enhancing Web Application Security with eXtended Code Guardrails (XCG)
08 Aug 2024
The eXtended Code Guardrails (XCG) is a software solution jointly developed by GovTech’s Cyber Security Group (CSG) and A*STAR’s Institute for Infocomm Research (I²R). It enhances web application security by providing a secure-by-default framework in additional to accelerating application development, and allows developers to focus on functional features.
XCG facilitates software developers in producing secure code, irrespective of their level of expertise in web application development. Through a secure-by-default approach, it prevents insecure code written by accident, and hardening the Django web framework to prevent common web application vulnerabilities. Integrating XCG enables the creation of robust, secure web applications with confidence and ease.
Key Benefits for software developers
XCG comprises of several independent Django modules, each safeguarding against specific vulnerabilities with minimal configuration or modification.
XCG can be integrated into existing Django web applications or used to build new applications using the XCG starter kits, making it ideal for a variety of software projects, especially within the Singapore government.
• Enhance Security: XCG addresses high-risk vulnerabilities like Cross-site Scripting (XSS), OS command injection, and Indirect Object References (IDOR), listed in the OWASP Top-10.
• Accelerate Development: XCG allows developers to focus on coding functional behavior for the application, instead of reimplementing or incorporating security controls in an insecure way.
• Developer Focus: XCG can be integrated with existing Django web application with minimal configuration changes.
Accessing XCG (Open Source)
Developers can access detailed documentation and follow tutorials to build Django applications with XCG. This hands-on approach allows quick integration and immediate benefits.
Here are some of the XCG links you can explore based on your needs.
To validate user file uploads, detect specially crafted media files with malicious intent and block them: https://github.com/GovTech-CSG/govtech-csg-xcg-securefileupload
To protect your Django application against SSRF (Server-Side Request Forgery) vulnerabilities: https://github.com/GovTech-CSG/govtech-csg-xcg-dangerousfunctions
For a Django app that protects your application against SSRF (Server-Side Request Forgery) vulnerabilities: https://github.com/GovTech-CSG/govtech-csg-xcg-dangerousrequests
To easily enforce permissions checks on users at the level of single database records: https://github.com/GovTech-CSG/govtech-csg-xcg-modelpermissions
To use AWS Secrets Manager to automatically refresh Django secret key as well as database credentials (supporting MySQL and PostgreSQL): https://github.com/GovTech-CSG/govtech-csg-xcg-secretsmanager
To generate random primary keys for Django model objects to defend against IDOR (Insecure Direct Object References) vulnerabilities, making it impossible to guess the database index to extract information: https://github.com/GovTech-CSG/govtech-csg-xcg-securemodelpkid
To require developers to explicitly define permissions for each view before they can be accessed, thereby preventing information exposure due to coding mistakes or misconfiguration: https://github.com/GovTech-CSG/govtech-csg-xcg-viewpermissions
The development of this technology is supported by the Ministry of Digital Development and Information (MDDI) and National Research Foundation (NRF), under the Public Sector Translational R&D Grant Funding Initiative (TRANSGrant).
If you're interested in collaborating with us on your use cases or exploring in-depth research in these areas, contact us for further discussions.
A*STAR celebrates International Women's Day
From groundbreaking discoveries to cutting-edge research, our researchers are empowering the next generation of female science, technology, engineering and mathematics (STEM) leaders.
Get inspired by our #WomeninSTEM