Secure Code Standards

You may already be familiar with the concept of coding standards. These are documented rules or patterns to ensure every developer on the project performs consistent naming conventions and programming styles. Coding standards aim to make the code more consistent and easier to follow. Therefore, reducing the number of bugs present in the code. Secure coding standards are similar in trying to improve code quality. In this case, reducing the likelihood of vulnerabilities or weakness is present in the code. Secure coding standards are language-specific. So if you're using Java or Pearl or another programming language, you need to source secure coding standards specific to that language.

The Software Engineering Institute in Carnegie Mellon University has defined their top 10 secure coding practices.

CMU SEI - Top 10 Secure Coding Practice

  1. Validate input (Defend against SQL injection and other types of attacks)

  2. Heed compiler warnings (The compiler warning is there to give you feedback at build time to ensure you improve weaknesses in your code)

  3. Architect and design for security (proper architecture and design decisions factoring security in early in the process is essential)

  4. Keep it simple (Keeping it simple is an often overlooked practice. But if something is too complicated, it is going to be very difficult to find weaknesses or vulnerabilities in the code)

  5. Default deny (Don't provide excess(lazimindan artiq) permission or access. )

  6. Adhere to the principle of least privilege (Implement the process of lease privilege.)

  7. Sanitize data from other systems (Sanitized data from other systems. In other words, don't trust any input.)

  8. Practice defense in depth (This is essential in creating a robust system. If one safeguard fails, you have another one to protect the system.)

  9. Practice effective quality assurance (Quality insurance is essential to identify bugs early in the process)

  10. Adopt a secure coding standard (adopt a secure coding standard and make sure all your development team complies with this standard.)

PreviousThreat Modeling - PLANNextSAST and SCA - CODE

Last updated