Introduction

"eXtended Code Guardrails"(XCG) was jointly developed by GovTech’s Cyber Security Group (CSG) and A*STAR’s Institute for Infocomm Research to eliminate the undesirable effects of insecure code through a secure-by-default framework. XCG brings web application security to the next level by removing or limiting insecure behaviours in applications. Hence, the impact of vulnerabilities is reduced or removed, even when developers write insecure code by accident.

Many of the vulnerabilities that XCG addresses are high-risk in nature, found in the OWASP Top-10, and have been around for over 20 years. These include "Cross-site Scripting" (XSS), "OS command injection", and "Indirect Object References (IDOR)".

XCG uses Django, a high-level Python web framework that encourages rapid development. Built and maintained by experienced developers, Django handles many web application development hassles, so developers can focus on writing apps without reinventing the wheel.

XCG is supported by the Smart Nation and Digital Government Office (SNDGO) and the National Research Foundation (NRF), under the Public Sector Translational R&D Grant Funding Initiative (TRANS Grant). The aim of the funding initiative is to tap on the research community to solve public sector challenges with innovative use of technologies.

Beta-stage product

As the product of a research project, XCG has yet to be tested extensively in production settings and hence should be considered a beta stage product. This means that developers should be careful when incorporating XCG packages in certain situations, such as for use in business-critical applications.

That said, the following mitigating factors should reduce the integration risk:

1. Each package ships with a comprehensive automated test suite targeting its functional features. This should provide confidence that the packages work as intended.
2. The packages have been designed to minimise code changes required for integration. This makes them trivial to add or remove from an existing codebase, which should facilitate quick trials.

If you do encounter issues while using any of the packages, please do not hesitate to contact the maintainers (see the community section for more information). Your feedback is appreciated and will be invaluable for improving XCG for the rest of the community.

How It Works

XCG comprises several independent Django modules that alter Django’s behavior to close security gaps. Each module safeguards the application from a specific category of vulnerability, with minimal configuration or modification to the application.

Developers can incorporate XCG modules in their existing Django web applications or build a fresh Django web application with XCG starter kits.

Key Benefits

• Enhances security of web applications.
• Increases speed of application development.
• Enables developers to focus on coding functional behavior for the application, instead of reimplementing or incorporating security controls in an insecure way.

Next Steps

Read the detailed documentation for each package here, or follow a step-by-step tutorial to build a simple Django application with XCG enabled here.