Guide: How Do You Code Securely?
Are you properly securing your code? Check out this post to learn more about securing your code with input validation, authentication, and error handling.
Join the DZone community and get the full member experience.Join For Free
1. Validate Input
You must validate all inputs that come from clients as a way of preventing injection attacks, SQL attacks, and more.
Specify the character set to be used for the input, such as UTF-8, and canonicalize (encode to a common character set) before validating.
Design a Whitelist
Create a whitelist to allow specific trusted characters and prevent all other characters that may be harmful. These may include <>'"%()&-FWV, which could be used to inject script commands.
2. Authentication and Password Management
Implement strong authentication and enforce policies that limit access to resources based on roles and minimum required level of access.
Enforce strong passwords using complexity requirements, such as a minimum length; the use of alpha, numeric, and special characters; upper and lower-case letters; etc.
Encrypt the transmission of all credentials when users are signing in using a strong encryption method.
3. Error Handling and Logging
Error messages and logs can reveal sensitive information that hackers can use to gather intelligence about applications or systems they're planning to attack.
Write generic error messages that don't reveal debugging, stack trace, or system information.
Let the application handle application errors — not the backend server.
Let the backend server handle logging operations, not the front-end application.
Stay on top of secure coding requirements across Java, PHP, Mobile, and .Net.
- Be aware of memory leaks — Developers must be aware of memory leaks in Java. Do not trust automatic memory management. There are various ways that a memory leak can occur, the most common is everlasting object references; when used, the garbage collector cannot remove the objects from the heap if there is a reference to them.
- Use pre-existing libraries — This includes research known libraries in Java, like log back and Log4j. Writing code from scratch might seem like a good solution, but how often will you update your code? Think about using secure libraries as good coding practice.
- Persist data — A good step towards guarding your session data is to encrypt all information. Note that the data can still be accessed, but at least it's not readable. An example of a method that any developer could use to persist PHP data is the
session_set_save_handler(); it allows you to persist data any way you determine.
- Avoid the MYSQL extension — This extension is insecure, unreliable, and does not support SSL. Instead of using MySQL, try PDO or mySQLi. These extensions let you name parameters and equal to a more secure coding practice.
Common in JAVA and PHP
- Never trust user data — We are all aware of cross-site scripting (XSS) attacks occurring because a user tampers with the data. Consider implementing a whitelisting and use regular expressions to constrain values if they are numeric.
- Implement strong server-side controls - Move the processing of sensitive data to the backend server. Secure the backend server with encrypted connections and strong authentication and authorization policies. Validate all data that comes into the backend to prevent the introduction of injected data, scripts, or commands.
- Protect a data at rest - Encrypt the application data storage area. Store credentials in the Apple Keychain or Android KeyStore. Credentials should never be stored in the application source code, nor in any files created by the application.
- Establish a secure connection - Use secure HTTPS connections with TLS 1.2, with greater than 128-bit encryption ciphers when transferring data. Use certificates to verify the authenticity of a trusted connection between your application and backend services.
- Think about roles — Create NET roles to group together user accounts that have the same permissions and access levels in your application. Use URL and/or File Authorization methods to restrict access to specific files and folders required by the user role.
- Secure communication — Use a combination of TLS and IPSec to secure the communication between the front and back ends of the application. TLS protects credentials in transit when users are logging in.
- Restrict communication - Implement a restrictive Gate and Gatekeeper policy to restrict user access on a need-to-know basis.
- Secure authentication - For. NET, use Integrated Windows authentication and/or certificate authentication, but never basic authentication, to ensure that all logins are encrypted when communicating between the application and a backend server. You could also integrate Microsoft Passport authentication if your application requires this type of user account.
Published at DZone with permission of Bhavesh Patel. See the original article here.
Opinions expressed by DZone contributors are their own.