Coding Dojo

Illustration of a lock and some coding icons

Top 10 Secure Coding Practices for Devs to Know

If cybersecurity has taught us anything, it’s that there will always be breaches, hacks, and vulnerabilities in systems. Cybersecurity as a career path is an ever-changing field that will keep you on your toes, so you must be consistently learning and upgrading your knowledge as new technologies and hacking techniques arise.

Just a few years ago in 2017, Equifax suffered a significant cybersecurity breach that left numerous users’ financial data available to hackers. Even large companies with exceptionally important information that needs to be protected have suffered breaches and security failures. 

What is Secure Coding?

Secure coding is a standardized approach to security practices to keep data safe and protected at all times, as much as possible. When coders and cybersecurity professionals follow this set of rules and guidelines, there is a much lower chance of vulnerabilities.

Why is Secure Coding Important?

By following the OWASP secure coding guidelines outlined below, you will set your systems and organization up for success by lowering the likelihood that you will experience a breach and lose important data to vulnerabilities.

10 Secure Coding Practices Every Developer Should Know

1. Input Validation

Input validation tests any input that a user or application submits. It offers an additional layer of security to certain forms of data. However, input validation must be used in conjunction with other secure coding methods to help prevent or reduce XSS, SQL injection, and other attacks.

A simple example of input validation is utilizing a CAPTCHA to ensure that a real live human inputs their username and password combination — not an AI or robot.

Ensure that the input validation is in its simplest form before making decisions. This might include decoding the input or rejecting anything that isn’t considered canonical (has been whitelisted to accept inputs registered as “good”).

To validate user- or application-inputted data, you can do the following:

  • Validate the data using specific sequences (i.e. data type, range, length of input against allowed characters)
  • Review based on trusted versus untrusted sources
  • Ensure the values for requests/responses are all ASCII characters

2. Authentication and Password Management

When security breaches occur, passwords are often what hackers immediately pinpoint. Password data can be taken and used to access other user accounts on different websites if users have signed up with the same email/username and password combination.

To combat password theft, multi-factor authentication has become a popular updated security process. In addition to this, cybersecurity professionals can implement the following best practices:

  • Enforce password length and character requirements (i.e. minimum 8 characters long with one capitalized letter, one number, and one symbol)
  • Disable additional attempts to log in after multiple incorrect attempts
  • Store only cryptographic versions of password data (rather than plain text)

3. Access Control

An important secure coding practice is prohibiting access to sensitive data to only those few who need it. By limiting privileges and restricting the number of users who can access it, you are utilizing access control, a security technique.

Consider these points when implementing access control:

  • Ensure authorized users are vetted and informed
  • Keep access controls restricted to protected URLs, services, app/user data, and similar important information
  • Perform account audits regularly to delete unused accounts
  • Limit the number of transactions each user can take over a specified timeframe

4. Cryptographic Practices

Encrypting sensitive data is vital to keep it safe and following high-level secure coding practices. Organizations can develop custom code to encrypt their data automatically and keep it safe, or they can rely on modern libraries to store and maintain their data.

Encryption helps protect loads of data in the event of a breach, and practices include:

  • Using a trusted system that can implement cryptographic functions
  • Relying on an approved, secure, random number generator for random file names, GUIDs, etc.
  • Using a cryptographic key management tool with accompanying policies and processes
  • Having assigned master keys protected from unauthorized access

5. System Configuration

Keep your systems up-to-date with patches, updates, and running current versions. Old software can have vulnerabilities that get fixed through release patches, so staying current with your software will help keep your imperative data safe.

Keep this in mind when looking over your system configurations:

  • Review systems, frameworks, and system components for updates and patches
  • HTTP response headers should include only relevant information
  • Keep test and development environments separate from the production environment

6. Data Protection

Sensitive data needs to be protected from the beginning and should never be an afterthought. While thinking of ways to encrypt data, limit access, and avoid breaches, you should also ensure that your systems maintain safety right off the bat. 

Use these techniques to maintain confidentiality:

  • Limit user access to systems, information, and data usability
  • Remove autocomplete from areas of your website or app where sensitive data is entered
  • Prevent code on your server from being accidentally accessed by users

7. Threat Modeling

Threat modeling is an approach to preventing data breaches by taking on the role of a hacker and reviewing cybersecurity systems. It works by locating, documenting, addressing, and validating vulnerabilities, objectives, and countermeasures to cybersecurity attacks.

This multi-stage process involves:

  • Identifying your assets and prioritizing which ones need the most protection
  • Reviewing who has access to those assets and your systems
  • Identifying vulnerabilities and threats
  • Creating a plan for how to mitigate each threat

8. Output Encoding

Similar to encryption, output encoding translates user-inputted data to ensure it does not execute as a code in a browser or program. That means the untrusted data cannot be interpreted, and therefore cannot be executed. If this step is not taken, cross-site scripting attacks can occur.

OWASP’s secure coding guidelines suggest these techniques:

  • Ensure all encoding happens on a trusted system (i.e. the server)
  • Encode all characters (unless deemed safe for the interpreter)
  • Sanitize untrusted data output to queries and operating systems

9. Error Handling and Logging

In many cases, software errors = bugs = vulnerabilities. Error handling and logging are among the most useful techniques to minimize the impact of vulnerabilities in your system. Between attempting to catch code errors before a breach and logging document errors for developers to diagnose, this is an important technique for secure coding.

As per OWASP’s secure coding practices guideline, be sure to:

  • Use error messages that do not display debugging or stack trace information
  • Deny access to error-handling logic conditions related to security controls
  • Ensure logs contain important log event data, and limit this access to only authorized users
  • Keep sensitive information out of data logs

10. Conduct a Secure Code Review

Having someone do a secure code review will ensure that any potential vulnerabilities in your system’s code get found. It’s important to get multiple eyes on this process, as one person may miss something glaring due to eye strain or simply human error.

This code review can be done manually, with automated tools/software, or a combination of the two techniques. By doing secure code reviews regularly, you can ensure that your database is fully secure. 

Learn to Code at Coding Dojo

At Coding Dojo, we make learning accessible. Experts in their respective fields have developed our curriculum, which goes in-depth into cybersecurity fundamentals to more advanced principles. With thousands of hours of research put into developing our cybersecurity bootcamp, anybody has a chance to change their career with our program. 

Even after graduating, you’ll have access to lifetime support from our services team. We’re not only here to teach you; we teach, train, and support you before, during, and after your graduation date.

Secure Coding FAQ

What is OWASP Secure Coding?

OWASP – the Open Web Application Security Project® – is a non-profit organization that works towards improved security practices for businesses through tools, resources, networking, and education & training. Their secure coding is a set of practices that can help companies keep their sensitive data safe and secure.

What are Secure Code Practices?

Secure coding practices are a general set of secure coding practices that you can follow along with (here’s a quick reference guide) to make it easier for organizations to integrate cybersecurity best practices.

What is a Secure Code Review?

A secure code review is done either manually or with an automated tool and allows users to detect vulnerabilities in a system’s code. This, in turn, allows problems to be rectified before hackers have a chance to take advantage of bugs and create data breaches that can be detrimental to a company.