DEV Community

Cover image for The Fundamentals of Security Every Developer Should Understand

The Fundamentals of Security Every Developer Should Understand

Ben Halpern on March 30, 2018

Last week I made this thread: What are some fundamentals of security every developer should understand? ...
Collapse
 
ben profile image
Ben Halpern • Edited

Of course, thanks to all the dev.to folks that chime in on these kinds of threads. This kind of willing wisdom sharing is such a big part of what makes the dev.to community special. 😇

Collapse
 
jodydott profile image
Jody Dott

Regarding prepared statements. Look into what your driver does with them.
Some drivers just concatenate the strings (no protection at all), others do a sanitised concatenation, the best send it to the server to compile and then send the parameters to the server in separate calls (best).

Know what your driver does! Don't assume.

(Also don't rely on this mechanism.. CHECK YOUR INPUTS!)

Collapse
 
embedthis profile image
Michael O'Brien • Edited

These are great. Here is my 2-cents to add to your list:

This has some good overlap with your items and a few others to add:

Web Developer Security Checklist: dev.to/powerdowncloud/web-develope...

Collapse
 
nnthuan profile image
T.s

Would be a good to point out essential maturity of security development.

  • Level 1 would be developing security awareness.
  • Level 2 would be developing security by default.
  • Level 3 would be developing security by design.
  • Level 4 would be developing defensive security in code.
Collapse
 
patrickodacre profile image
Patrick O'Dacre

Thanks for posting this. I learned a lot, and the Darkwing Duck image just about triples the credibility of the advice here.

Collapse
 
bzdata profile image
Beatriz

What are your thoughts about access-controlled documentation and restricting libraries with known vulnerabilities (CVEs)?

Collapse
 
realdolos profile image
Dolores Greatamsky
4. Assume user input is malicious until proven otherwise.

Corollary: You cannot prove a negative as in "not malicious".

Collapse
 
animanoir profile image
Óscar A. Montiel

thanks

Collapse
 
kresnasatya profile image
Kresna Satya

The secure apps or Web is no code. Seriously: github.com/kelseyhightower/nocode