Top 10 Secure Coding Practices

  1. Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including command line arguments, network interfaces, environmental variables, and user controlled files [Seacord 05].
  2. Heed compiler warnings. Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code [C MSC00-A, C++ MSC00-A]. Use static and dynamic analysis tools to detect and eliminate additional security flaws.
  3. Architect and design for security policies. Create a software architecture and design your software to implement and enforce security policies. For example, if your system requires different privileges at different times, consider dividing the system into distinct intercommunicating subsystems, each with an appropriate privilege set.
  4. Keep it simple. Keep the design as simple and small as possible [Saltzer 74, Saltzer 75]. Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use. Additionally, the effort required to achieve an appropriate level of assurance increases dramatically as security mechanisms become more complex.
  5. Default deny. Base access decisions on permission rather than exclusion. This means that, by default, access is denied and the protection scheme identifies conditions under which access is permitted [Saltzer 74, Saltzer 75].
  6. Adhere to the principle of least privilege. Every process should execute with the the least set of privileges necessary to complete the job. Any elevated permission should be held for a minimum time. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges [Saltzer 74, Saltzer 75].
  7. Sanitize data sent to other systems. Sanitize all data passed to complex subsystems [C STR02-A] such as command shells, relational databases, and commercial off-the-shelf (COTS) components. Attackers may be able to invoke unused functionality in these components through the use of SQL, command, or other injection attacks. This is not necessarily an input validation problem because the complex subsystem being invoked does not understand the context in which the call is made. Because the calling process understands the context, it is responsible for sanitizing the data before invoking the subsystem.
  8. Practice defense in depth. Manage risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit. For example, combining secure programming techniques with secure runtime environments should reduce the likelihood that vulnerabilities remaining in the code at deployment time can be exploited in the operational environment [Seacord 05].
  9. Use effective quality assurance techniques. Good quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Fuzz testing, penetration testing, and source code audits should all be incorporated as part of an effective quality assurance program. Independent security reviews can lead to more secure systems. External reviewers bring an independent perspective; for example, in identifying and correcting invalid assumptions [Seacord 05].
  10. Adopt a secure coding standard. Develop and/or apply a secure coding standard for your target development language and platform.

 
secure coding practices
secure coding in c and c++
secure coding guidelines
secure coding in c and c++ pdf
secure coding practices in java
secure coding standards
secure coding training
secure coding pdf
secure coding practices ppt
secure coding guidelines owasp
secure coding
secure coding practices
secure coding in c and c++
secure coding guidelines
secure coding in c and c++ pdf
secure coding practices in java
secure coding standards
secure coding training
secure coding pdf
secure coding practices ppt
secure coding practices
secure coding in c and c++
secure coding guidelines
secure coding in c and c++ pdf
secure coding practices in java
secure coding standards
secure coding training
secure coding pdf
secure coding practices ppt
secure coding guidelines owasp
secure coding academy
secure coding android
secure coding analysis tools
secure coding against sql injection attacks
secure coding against sql injection
secure coding amazon
secure coding apple
secure coding asp.net
secure coding adalah
secure coding awareness
example of a secure coding principle
secure coding book
secure coding best practices
secure coding benefits
secure coding best practices java
secure coding book pdf
secure coding buffer overflow
security coding bicycles
security coding bikes
microsoft secure coding best practices
android secure coding best practices
secure coding certification
secure coding c++
secure coding course
secure coding c++ pdf
secure coding checklist
secure coding concepts
secure coding cmu
secure coding cert
secure coding checker
secure coding classes
c secure coding rules
c secure coding standard
c secure coding standard pdf
c secure coding pdf
secure c coding practices
objective c secure coding
cert c secure coding standard amazon
cert c secure coding standard wiki
objective c secure coding standards
cert c secure coding pdf
secure coding definition
secure coding development
secure coding design principles
secure coding developing defensible applications
secure coding design
secure coding for dummies
secure coding practices definition
secure coding training for developers
secure coding in .net developing defensible applications
secure coding techniques for different classes of applications
secure coding examples
secure coding ec council
secure coding error handling
secure coding ebook
secure coding exercises
secure coding exam
secure coding education
secure coding environment
secure coding e learning
secure coding encoding
secure coding field manual pdf
secure coding field manual
secure coding framework
secure coding for java
secure coding for net
secure coding for pci compliance
secure coding fortify
secure coding for buffer overflow
secure coding for dummies
secure coding for mobile apps
secure coding guidelines
secure coding guidelines for java
secure coding guidelines owasp
secure coding guidelines c#
secure coding guidelines for ios
secure coding guidelines for android
secure coding guide
secure coding guide ios
secure coding guidelines for the java programming language
secure coding guidelines php
secure coding html
secure coding error handling
html5 secure coding
hp secure coding
secure base safe haven coding system
secure coding in c and c++
secure coding in c and c++ pdf
secure coding in java
secure coding in python
secure coding in php
secure coding in c and c++ second edition
secure coding in .net
secure coding in java/jee
secure coding input validation
secure coding interview questions
secure coding java
secure coding javascript
secure coding java pdf
secure coding java owasp
secure coding jobs
secure coding java cert
secure coding java certification
secure java coding training
secure coding in java/jee developing defensible applications
secure coding tools java
klocwork secure coding
kisa secure coding
secure coding libraries
secure coding life cycle
secure coding list
security coding language
secure login coding
most secure coding language
secure coding solutions ltd
secure coding guidelines
java secure coding library
secure coding rules for java livelessons
secure coding methodology
secure coding microsoft
secure coding memcpy
secure coding mark graff
secure coding mvc
secure coding mobile
secure coding metrics
secure coding mobile apps
secure coding msdn
secure coding guidelines msdn
secure coding net
secure coding nist
secure coding .net training
secure network coding
secure network coding over the integers
secure network coding on a wiretap network
secure network coding with erasures and feedback
secure network coding pdf
secure coding vb.net
weakly secure network coding
secure coding owasp
secure coding online training
secure coding objective c
secure coding online course
secure coding o’reilly
secure coding oracle
secure coding o reilly pdf
secure network coding over the integers
secure network coding on a wiretap network
secure coding guidelines oracle
o’reilly secure coding
importance of secure coding
benefits of secure coding
principles of secure coding
advantages of secure coding
definition of secure coding
need of secure coding
example of secure coding
secure coding o reilly pdf
secure coding practices
secure coding practices in java
secure coding pdf
secure coding practices ppt
secure coding principles
secure coding principles and practices
secure coding practices pdf
secure coding practices c#
secure coding ppt
secure coding practices checklist
secure coding questions
secure coding quiz
secure coding questionnaire
secure coding quotes
secure coding practices quick reference guide
secure coding interview questions
secure coding practices quick reference
secure coding review
secure coding requirements
secure coding rules for java livelessons
secure coding rules
secure coding rulepacks
secure coding rit
secure coding research
secure coding resources
fortify secure coding rulepacks
secure coding o’reilly
secure coding standards
secure coding standards java
secure coding standards nist
secure coding standards c#
secure coding standards python
secure coding standards owasp
secure coding sans
secure coding solutions
secure coding sql injection
secure coding solutions ltd
secure coding training
secure coding techniques
secure coding tutorial
secure coding training for developers
secure coding tools
secure coding training pci
secure coding techniques checksum
secure coding training ppt
secure coding training course
secure coding tum
secure coding training uk
usd secure coding
secure coding validation suite
secure coding vb.net
secure coding vulnerabilities
secure coding videos
secure coding input validation
secure coding practices for input validation
secure coding wiki
secure coding with static analysis
secure coding with java
secure coding web applications
secure coding workshop
secure coding with javascript
secure coding webinar
secure coding web
secure web coding standards
coding secure website
secure coding xss
secure coding top 10
secure coding 2014
secure coding for java
secure coding for net
secure coding for pci compliance
secure coding for buffer overflow
secure coding for dummies
secure coding for mobile apps
secure coding for php
secure coding for java developers
secure coding for web applications
windows phone 8 secure coding