Secure coding guidelines
Download as PPTX, PDF1 like299 views
The document provides rules for secure coding practices in four areas: injection prevention, authentication, sensitive data handling, and access control. For injection prevention, it recommends validating user input, using safe parameterized APIs, and escaping data. For authentication, it lists rules like strong password policies, secure storage and transmission of passwords, and limiting failed login attempts. For sensitive data, it advises classifying and encrypting sensitive information. For access control, it suggests dividing software into security roles and enforcing access checks on the server-side.
Secure coding guidelines
- 4. Injection Prevention Rules • Rule #1 (Perform proper input validation): Perform proper input validation. Positive or “whitelist” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input. • Rule #2 (Use a safe API): The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood. • Rule #3 (Contextually escape user data): If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. • Further reading: https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet
- 5. Authentication Rules • Implement Proper Password Strength Controls • Implement Secure Password Recovery Mechanism • Store Passwords in a Secure Fashion • Transmit Passwords Only Over TLS or Other Strong Transport • Require Re-authentication for Sensitive Features • An application should respond with a generic error message regardless of whether the user ID or password was incorrect. • Prevent Brute-Force Attacks by disabling user account after multiple failed logins. • Enable logging and monitoring of authentication functions to detect attacks • Further reading: https://www.owasp.org/index.php/Authentication_Cheat_Sheet
- 6. Sensitive Data Rules • Classify data processed, stored or transmitted by application. • Identify which data is sensitive according to laws, regulation and business needs. • Dont store sensitive data unnecessarily. Data that is not retained cannot be stolen. • Make sure to encrypt sensitive data at rest. • Encrypt all data in transit with secure protocols like TLS • Disable caching for responses which contain sensitive data. • Further reading: http://cwe.mitre.org/data/definitions/312.html
- 7. Access Control Rules • Divide the software into anonymous, normal, privileged, and administrative areas. Carefully map roles with data and functionality. • Ensure that you perform access control checks related to your business logic. • Consider using authorization frameworks such as the JAAS Authorization Framework. • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. • Use the access control capabilities of your operating system and server environment. • Further reading: https://cwe.mitre.org/data/definitions/285.html