Secure Coding Principles

August 2022

Introduction

As an experienced Java web developer and application architect, with a strong background in application security and framework development, I have meticulously developed this secure coding guideline based on common application problems identified during my program coding review and application security assessment.

My aim is to provide developers with a comprehensive set of principles and best practices to enhance the security of their applications. By addressing the vulnerabilities commonly exploited in real-world scenarios, we hope to foster a proactive security culture and minimize the risk of security breaches.

Input and Output Handling

  • Input Validation:

    • Conduct all data validation on a trusted system (return from the backend server) and untrusted data sources.

    • Validate all untrusted client-provided data before processing, including parameters, URLs, and HTTP header content (e.g., Cookie names and values), and automated postbacks from JavaScript.

    • Validate for expected data types, data range, and data length.

    • Validate all input using a white-list approach.

    • Handle hazardous characters, such as null bytes (%00), new line characters (%0d, %0a, \r, \n), and path alteration characters (../ or ..\).

    • Address alternate representations like %c0%ae%c0%ae/.

    • Implement a centralized input validation routine.

    • Define and specify the character set (e.g., UTF-8) for all input sources.

    • Encode data to the defined character set before validation.

    • Verify HTTP header values.

    • Validate data from redirects.

  • Output Encoding:

    • Utilize a standard and centralized outbound encoding to the presentation layer.

    • Sanitize all output of untrusted data for SQL, XML, and LDAP queries.

Authentication and Access Control

  • Authentication and Password Management:

    • Require authentication for all pages and resources (hiding the URL is not secure).

    • Enforce all authentication controls on a trusted system (backend server).

    • Use a centralized implementation for all authentication controls.

    • Ensure all authentication controls follow the fail-secure principle.

    • Implement password hashing.

  • Access Control:

    • Implement least privilege access control for all resources.

    • Use role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms.

    • Enforce access control checks on the server-side.

    • Ensure that access control rules are consistently applied across all components.

    • Regularly review and update access control policies.

Session and State Management

  • Session Management:

    • Ensure secure generation and handling of session IDs.

    • Implement secure session timeout and inactivity timeout policies.

    • Use secure and HTTP-only cookies for storing session tokens.

    • Protect session data from being intercepted using HTTPS.

    • Regenerate session IDs after login and other sensitive operations.

    • Implement proper session invalidation mechanisms.

HTTP Header Security

  • HTTP Header Security:

    • Implement HTTP Strict Transport Security (HSTS) to enforce secure communication over HTTPS.

    • Use Content Security Policy (CSP) to prevent cross-site scripting (XSS) and other code injection attacks.

    • Implement X-Content-Type-Options to prevent MIME type sniffing.

    • Use X-Frame-Options to protect against clickjacking attacks.

    • Implement X-XSS-Protection to enable cross-site scripting (XSS) filters.

    • Use Referrer-Policy to control how much referrer information is sent with requests.

    • Implement Feature-Policy to control which browser features can be used.

Cryptographic Practices and Data Protection

  • Cryptographic Practices:

    • Use strong, industry-standard cryptographic algorithms.

    • Ensure proper key management practices, including secure generation, distribution, and storage of cryptographic keys.

    • Implement encryption for sensitive data at rest and in transit.

    • Avoid using outdated or insecure cryptographic protocols and algorithms.

    • Regularly review and update cryptographic implementations.

  • Data Protection:

    • Implement data minimization principles to reduce the amount of sensitive data collected and stored.

    • Use data anonymization and tokenization techniques where applicable.

    • Ensure secure data storage and transmission.

    • Implement proper data retention and disposal policies.

    • Regularly review and update data protection practices.

Error Handling and Logging

  • Error Handling and Logging:

    • Implement proper error handling to avoid revealing sensitive information.

    • Log security-relevant events, such as failed login attempts and access control violations.

    • Protect logs from unauthorized access and tampering.

    • Ensure that log data is regularly reviewed and analyzed for signs of suspicious activity.

    • Avoid logging sensitive data, such as passwords and credit card numbers.

Secure Deployment and Configuration

  • System Configuration:

    • Apply secure configurations to all system components, including servers, databases, and network devices.

    • Disable unnecessary services and features.

    • Regularly update and patch system components to address security vulnerabilities.

    • Implement secure configuration management practices.

  • Secure Deployment:

    • Ensure secure configuration of the deployment environment.

    • Implement continuous integration and continuous deployment (CI/CD) practices with security checks.

    • Use automated tools to scan for security vulnerabilities before deployment.

    • Monitor the deployment environment for signs of unauthorized changes or activities.

Specialized Areas

  • API Security:

    • Implement proper authentication and authorization for API endpoints.

    • Validate and sanitize all input data passed through APIs.

    • Implement rate limiting and throttling to prevent abuse.

    • Use HTTPS for secure communication between API clients and servers.

  • Mobile Application Security:

    • Secure local storage of sensitive data on mobile devices.

    • Implement secure communication between mobile applications and backend servers.

    • Use platform-specific security features and best practices.

    • Regularly update and patch mobile applications to address security vulnerabilities.

  • Cloud Security:

    • Implement secure configuration practices for cloud services and resources.

    • Use identity and access management (IAM) practices to control access to cloud resources.

    • Monitor cloud environments for signs of unauthorized activities.

    • Implement data encryption and secure storage practices for data in the cloud.

Third-Party and Dependency Management

  • Third-Party Library and Dependency Management:

    • Regularly review and update third-party libraries and dependencies to address security vulnerabilities.

    • Use tools to automatically scan for and manage vulnerabilities in dependencies.

    • Prefer libraries and dependencies that are actively maintained and have a strong security track record.

User Education and Awareness

  • User Education and Awareness:

    • Educate developers on secure coding practices and emerging security threats.

    • Conduct regular security training and awareness programs for all team members.

    • Foster a security-first culture within the development team.

For more detailed information, you can refer to the

OWASP Secure Coding Practices Quick Reference Guide

SAFECode Fundamental Practices for Secure Software Development.

PreviousHRMC Executive PaperNextHTTP Header Security Principles

Last updated