Friday, January 13, 2017

Secure Coding Best Practices

Secure Coding Best Practices has been an area of emphasis for our department this year.  World Class Security will be one of Information Systems’ Key Initiatives for 2016.  One of the reasons we need to take this seriously is that more than 90% of all attacks to company systems are coming through the web application layer (source:  https://www.securestate.com/services/web-application-security-grey-box).
Every three years OWASP (Open Web Application Security Project) comes out with a list of the Top Ten most critical web application security risks.  As developers we need to be familiar with these risks.  There are actually 695 different web application vulnerabilities, but safeguards against the top 10 are usually effective against most of the others. 

Here is a list of some Secure Coding Best Practices –
  1. Input Validation
    • Whitelisting
    • Blacklisting
  2. HTML encoding / escaping.
  3. Use Parameterized Queries.
    • Prepared Statements
  4. Use CSRF Tokens.
  5. Protect your session with HTTPS.
  6. Encrypt sensitive data.
    • At rest
    • In transit
    • Salt and hash all passwords
  7. Always check for proper access rights
    • Data
    • Function calls
  8. Do not expose primary keys and IDs.
  9. Classify your data. 
    • Know your asset.  What are you trying to protect?
  10. Secure your framework. 
    • Best way to secure your application. 
    • Makes security easy for the developers.
  11. Use standard tools and code libraries.
    • Update them regularly
  12. Error handling
    • Fail securely
  13. Avoid security by obscurity.
    • There are many ways to find what seems to be hidden.
  14. Defense in depth.
    • Least privilege
    • Event logging
    • Prevention and detection
  15. Know the attack surface of your application.
  16. Implement security throughout the SDLC
  17. Involve your IT Security team early.
  18. Perform Vulnerability Assessments (VA).
  19. Harden your server
    • Close unused services
    • Patch your application server
    • Don’t forget your development environment
  20. Trust no one!
    • Don’t trust the infrastructure
    • Don’t trust services from external systems
    • Don’t trust users’ input
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)