I²R Techs & Solutions

Enhancing Web Application Security with eXtended Code Guardrails (XCG)

The eXtended Code Guardrails (XCG)  is a software solution jointly developed by GovTech’s Cyber Security Group (CSG) and A*STAR’s Institute for Infocomm Research (I²R). It enhances web application security by providing a secure-by-default framework in additional to accelerating application development, and allows developers to focus on functional features.

XCG facilitates software developers in producing secure code, irrespective of their level of expertise in web application development. Through a secure-by-default approach, it prevents insecure code written by accident, and hardening the Django web framework to prevent common web application vulnerabilities. Integrating XCG enables the creation of robust, secure web applications with confidence and ease.

Key Benefits for software developers
XCG comprises of several independent Django modules, each safeguarding against specific vulnerabilities with minimal configuration or modification.

XCG can be integrated into existing Django web applications or used to build new applications using the XCG starter kits, making it ideal for a variety of software projects, especially within the Singapore government.

Enhance Security: XCG addresses high-risk vulnerabilities like Cross-site Scripting (XSS), OS command injection, and Indirect Object References (IDOR), listed in the OWASP Top-10.
Accelerate Development: XCG allows developers to focus on coding functional behavior for the application, instead of reimplementing or incorporating security controls in an insecure way.
Developer Focus: XCG can be integrated with existing Django web application with minimal configuration changes.

Accessing XCG (Open Source)

Developers can access detailed documentation and follow tutorials to build Django applications with XCG. This hands-on approach allows quick integration and immediate benefits.

Here are some of the XCG links you can explore based on your needs.

To validate user file uploads, detect specially crafted media files with malicious intent and block them:  https://github.com/GovTech-CSG/govtech-csg-xcg-securefileupload

To protect your Django application against SSRF (Server-Side Request Forgery) vulnerabilities: https://github.com/GovTech-CSG/govtech-csg-xcg-dangerousfunctions

For a Django app that protects your application against SSRF (Server-Side Request Forgery) vulnerabilities: https://github.com/GovTech-CSG/govtech-csg-xcg-dangerousrequests

To easily enforce permissions checks on users at the level of single database records:  https://github.com/GovTech-CSG/govtech-csg-xcg-modelpermissions

To use AWS Secrets Manager to automatically refresh Django secret key as well as database credentials (supporting MySQL and PostgreSQL): https://github.com/GovTech-CSG/govtech-csg-xcg-secretsmanager

To generate random primary keys for Django model objects to defend against IDOR (Insecure Direct Object References) vulnerabilities, making it impossible to guess the database index to extract information: https://github.com/GovTech-CSG/govtech-csg-xcg-securemodelpkid

To require developers to explicitly define permissions for each view before they can be accessed, thereby preventing information exposure due to coding mistakes or misconfiguration: https://github.com/GovTech-CSG/govtech-csg-xcg-viewpermissions

The development of this technology is supported by the Ministry of Digital Development and Information (MDDI) and National Research Foundation (NRF), under the Public Sector Translational R&D Grant Funding Initiative (TRANSGrant). 

If you're interested in collaborating with us on your use cases or exploring in-depth research in these areas, contact us for further discussions.