Before We Start
This is just a few points cropped from OWASP Secure Coding Practices to refresh everyone's mind about Secure Coding Practices. Reading the main resource is advised and more appreciated. Please find the main resource in this Link.
Secure Coding Practices
These are not something new. These are the industry best practices that many of you already know. But it's better to refresh this knowledge once in a while. So Without any further talking let's go to the point.
Input Validation
- Validation must be included both in server and client side.
- Data can be classified in trusted and un-trusted section.
- Proper character sets (e.g. UTF-8) should be specified for all input.
- UTF-8 encoding/decoding can be used for security from malicious character.
- Hazardous characters should not be allowed (e.g. <> " ' % ( ) & + \ \' \"*#;--).
Output Encoding
- Translate special characters into non-dangerous character for interpreter / server.
- All characters should be encoded unless they are known to be safe for the intended interpreter.
- All data going for SQL, XML, and LDAP* should be sanitized.
Authentication and Password Management
- Passwords should be saved as one-way salted hash (MD5 is easy to break).
- Password hashing should be done on server.
- Instead showing "Invalid username" or "Invalid password" just use "Invalid username and/or password“.
- Authentication for connections to external systems should be implemented.
- To transmit authentication credentials use HTTP/HTTPS POST request.
- Changing temporary passwords & Strong password policy should be enforced.
- Account should be temporarily disabled after a number of invalid login attempt.
- Temporary information (e.g. OTP) should have expiration time.
- Multi-Factor Authentication can be used.
- Third party codes for authentication must be inspected carefully.
Session Management
- Sessions should be created on server with well vetted algorithms.
- Logout should terminate session and generate new on any re-authentication.
- Concurrent logins with the same user ID should be discouraged.
- Session identifiers should not be exposed and easy guessable.
- It is recommended to consistently utilize HTTPS rather than switching between HTTP.
- Cross-Site Request Forgery (CSRF) should be prevented.
Access Control
- Authorization decisions should be made from server side.
- Access to files or other resources should be authorized.
- User role should be implemented in terms of access.
- Number of transactions a single user or device can perform in a given period of time should be limited.
- Auditing and disabling of unused accounts should be implemented.
- Create an Access Control Policy.
Cryptographic Practices
- All cryptographic functions should be implemented on Server.
- A policy to manage cryptographic keys should be established.
Error Handling and Logging
- Sensitive information like stack trace should not be disclosed in error responses.
- Try to handle most of the error on client side and custom error pages should be constructed.
- Allocated memory should be securely released when error conditions occur.
- Logs should contain log event data like validation failures, authentication attempts, apparent tampering events, exceptions, administrative functions failures.
- Sensitive informatio should not be logged and log access should be restricted.
- Log analysis should be done and non-printable characters should be encoded in log entries.
Data Protection
- Users should get only required data that is needed to perform their tasks.
- Sensitive data should be identified to establish a policy to control it.
- Cached or Temporary copies of sensitive data stored on the server should be protected.
- Highly sensitive information should be encrypted.
- Server-side source-code should be protected from being downloaded by a user.
- Unnecessary application and system documentation should be removed from production server.
- Sensitive information should not be in HTTP GET request parameters.
Communication Security
- SSL should be enabled with non expired, proper domain certificate.
- External systems should also have SSL.
- At minimum operations like Login, Registration, Access to personal data , Change of password & Password reminder function should be encrypted.
System Configuration
- Servers, frameworks and system should be in latest stable version with security patch.
- Directory & directory structure listings should be turned off and unnecessary functionality, files test code or any functionality should not be in production.
- Info related to OS, server & app framework should be removed from HTTP response headers.
- An asset management system should be implemented (like Git).
- Isolate development from production.
Database Security
- Databases should be hardened in accordance with CIS benchmarks.
- Variables should be strongly verified before sending into queries.
- Database should be accessed using secured user with lowest privileged.
- Connection strings should not be hard coded and should be encrypted.
- DB connection should be closed as soon as possible.
- Default passwords should be changed.
- Any accounts that are not required should be disabled.
File Management
- User supplied data should not be passed to dynamic execution function (ex - Eval).
- Authentication is required before providing files.
- Execution privileges should be turned off on file upload directories.
- Use Secure Upload (check file size, change file name, check extension).
- Directory or file paths should not be passed, use index values mapped to pre-defined list.
Memory Management
- Double check that buffer size and do not write past the allocated space.
- All input strings should be truncated to a reasonable length.
- Specifically close resources, don’t rely on garbage collection.
- Do not use known vulnerable functions (e.g., printf, strcat, strcpy etc.).
- Allocated memory should be securely freed.
General Coding Practices
- Tested and approved code should be prioritized over new code.
- Verify Integrity of interpreted code, libraries, executables, and configuration files.
- Use variables & resources carefully and initialize during declaration or before usage.
- Calculation errors should be avoided by understanding how the language handles numbers.
- User supplied data should not be passed to dynamic execution function (ex - Eval).
- Secondary applications, third party codes and libraries safety should be reviewed.
- Encrypted and Secured channels should be used to transfer the code from the host server.
- Frameworks should be updated to latest stable version.
- Developers should be trained on secure coding practices periodically.
Top comments (0)