130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Introduction
  • Input and Output Handling
  • Authentication and Access Control
  • Session and State Management
  • HTTP Header Security
  • Cryptographic Practices and Data Protection
  • Error Handling and Logging
  • Secure Deployment and Configuration
  • Specialized Areas
  • Third-Party and Dependency Management
  • User Education and Awareness

Was this helpful?

  1. Application Security

Secure Coding Principles

August 2022

Introduction

As an experienced Java web developer and application architect, with a strong background in application security and framework development, I have meticulously developed this secure coding guideline based on common application problems identified during my program coding review and application security assessment.

My aim is to provide developers with a comprehensive set of principles and best practices to enhance the security of their applications. By addressing the vulnerabilities commonly exploited in real-world scenarios, we hope to foster a proactive security culture and minimize the risk of security breaches.

Input and Output Handling

  • Input Validation:

    • Conduct all data validation on a trusted system (return from the backend server) and untrusted data sources.

    • Validate all untrusted client-provided data before processing, including parameters, URLs, and HTTP header content (e.g., Cookie names and values), and automated postbacks from JavaScript.

    • Validate for expected data types, data range, and data length.

    • Validate all input using a white-list approach.

    • Handle hazardous characters, such as null bytes (%00), new line characters (%0d, %0a, \r, \n), and path alteration characters (../ or ..\).

    • Address alternate representations like %c0%ae%c0%ae/.

    • Implement a centralized input validation routine.

    • Define and specify the character set (e.g., UTF-8) for all input sources.

    • Encode data to the defined character set before validation.

    • Verify HTTP header values.

    • Validate data from redirects.

  • Output Encoding:

    • Utilize a standard and centralized outbound encoding to the presentation layer.

    • Sanitize all output of untrusted data for SQL, XML, and LDAP queries.

Authentication and Access Control

  • Authentication and Password Management:

    • Require authentication for all pages and resources (hiding the URL is not secure).

    • Enforce all authentication controls on a trusted system (backend server).

    • Use a centralized implementation for all authentication controls.

    • Ensure all authentication controls follow the fail-secure principle.

    • Implement password hashing.

  • Access Control:

    • Implement least privilege access control for all resources.

    • Use role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms.

    • Enforce access control checks on the server-side.

    • Ensure that access control rules are consistently applied across all components.

    • Regularly review and update access control policies.

Session and State Management

  • Session Management:

    • Ensure secure generation and handling of session IDs.

    • Implement secure session timeout and inactivity timeout policies.

    • Use secure and HTTP-only cookies for storing session tokens.

    • Protect session data from being intercepted using HTTPS.

    • Regenerate session IDs after login and other sensitive operations.

    • Implement proper session invalidation mechanisms.

HTTP Header Security

  • HTTP Header Security:

    • Implement HTTP Strict Transport Security (HSTS) to enforce secure communication over HTTPS.

    • Use Content Security Policy (CSP) to prevent cross-site scripting (XSS) and other code injection attacks.

    • Implement X-Content-Type-Options to prevent MIME type sniffing.

    • Use X-Frame-Options to protect against clickjacking attacks.

    • Implement X-XSS-Protection to enable cross-site scripting (XSS) filters.

    • Use Referrer-Policy to control how much referrer information is sent with requests.

    • Implement Feature-Policy to control which browser features can be used.

Cryptographic Practices and Data Protection

  • Cryptographic Practices:

    • Use strong, industry-standard cryptographic algorithms.

    • Ensure proper key management practices, including secure generation, distribution, and storage of cryptographic keys.

    • Implement encryption for sensitive data at rest and in transit.

    • Avoid using outdated or insecure cryptographic protocols and algorithms.

    • Regularly review and update cryptographic implementations.

  • Data Protection:

    • Implement data minimization principles to reduce the amount of sensitive data collected and stored.

    • Use data anonymization and tokenization techniques where applicable.

    • Ensure secure data storage and transmission.

    • Implement proper data retention and disposal policies.

    • Regularly review and update data protection practices.

Error Handling and Logging

  • Error Handling and Logging:

    • Implement proper error handling to avoid revealing sensitive information.

    • Log security-relevant events, such as failed login attempts and access control violations.

    • Protect logs from unauthorized access and tampering.

    • Ensure that log data is regularly reviewed and analyzed for signs of suspicious activity.

    • Avoid logging sensitive data, such as passwords and credit card numbers.

Secure Deployment and Configuration

  • System Configuration:

    • Apply secure configurations to all system components, including servers, databases, and network devices.

    • Disable unnecessary services and features.

    • Regularly update and patch system components to address security vulnerabilities.

    • Implement secure configuration management practices.

  • Secure Deployment:

    • Ensure secure configuration of the deployment environment.

    • Implement continuous integration and continuous deployment (CI/CD) practices with security checks.

    • Use automated tools to scan for security vulnerabilities before deployment.

    • Monitor the deployment environment for signs of unauthorized changes or activities.

Specialized Areas

  • API Security:

    • Implement proper authentication and authorization for API endpoints.

    • Validate and sanitize all input data passed through APIs.

    • Implement rate limiting and throttling to prevent abuse.

    • Use HTTPS for secure communication between API clients and servers.

  • Mobile Application Security:

    • Secure local storage of sensitive data on mobile devices.

    • Implement secure communication between mobile applications and backend servers.

    • Use platform-specific security features and best practices.

    • Regularly update and patch mobile applications to address security vulnerabilities.

  • Cloud Security:

    • Implement secure configuration practices for cloud services and resources.

    • Use identity and access management (IAM) practices to control access to cloud resources.

    • Monitor cloud environments for signs of unauthorized activities.

    • Implement data encryption and secure storage practices for data in the cloud.

Third-Party and Dependency Management

  • Third-Party Library and Dependency Management:

    • Regularly review and update third-party libraries and dependencies to address security vulnerabilities.

    • Use tools to automatically scan for and manage vulnerabilities in dependencies.

    • Prefer libraries and dependencies that are actively maintained and have a strong security track record.

User Education and Awareness

  • User Education and Awareness:

    • Educate developers on secure coding practices and emerging security threats.

    • Conduct regular security training and awareness programs for all team members.

    • Foster a security-first culture within the development team.

For more detailed information, you can refer to the

PreviousOAuth, SAML, and OpenID Connect: Key Differences and Use CasesNextHTTP Header Security Principles

Last updated 6 months ago

Was this helpful?

.

OWASP Secure Coding Practices Quick Reference Guide
SAFECode Fundamental Practices for Secure Software Development