Comment on page

Secure Coding Principles

To be updated

Input Validation
1.Conduct all data validation on a trusted system (RETURN from the backend server), and untrusted data sources 
2.Validate all untrusted client-provided data before processing, including all parameters, URLs, and HTTP header content (e.g. Cookie names and values), and also automated postbacks from JavaScript
3.Validate for expected data types, data range, and data length 
4.Validate all input in the white list approach
5.Specify handle the following characters 
hazardous characters
null bytes (%00)
new line characters (%0d, %0a, \r, \n)
“dot-dot-slash" (../ or ..\) path alterations characters. 
Alternate representation like: %c0%ae%c0%ae/ 
1.Implement a centralized input validation routine
2.Specify the defined character set e.g. UTF-8 for all input source
3.Encode data to defined character set before validation
4.Verify the HTTP header values
5.Validate data from redirects
Output Encoding
1.Utilize a standard and centralized outbound encoding to the presentation layer
2.Sanitize all output of un-trusted data to queries for SQL, XML, and LDAP
Authentication and Password Management 
1.Require authentication for all pages and resources (hidden the URL is not secure)
2.All authentication controls must be enforced on a trusted system (backend server)
3.Use a centralized implementation for all authentication controls
4.All authentication controls should follow fail secure principle
5. Password hashing must be implemented
Session Management 
Access Control
Cryptographic Practices
Error Handling and Logging
Data Protection 
Communication Security 
System Configuration 
Database Security 
File Management
Memory Management
General Coding Practices
​

Tabby

Next - Penetration Testing Checklists

Web Application PenTest

Last modified 8mo ago