Secure Coding

Secure coding practices are essential for building applications that can withstand security threats and protect sensitive data. This document outlines the secure coding requirements and practices that must be followed as part of the Definition of Done.

Purpose

The purpose of these secure coding requirements is to:

• Reduce the number of security vulnerabilities in our applications
• Establish consistent security practices across development teams
• Prevent common coding errors that lead to security issues
• Implement security controls at the code level
• Create a foundation for secure development lifecycle

General Secure Coding Principles

Defense in Depth

• Multiple layers of security controls must be implemented
• No single point of failure should exist in security architecture
• Security controls should be complementary and overlapping
• Each layer should implement its own security checks

Fail Secure

• Applications must fail in a secure state
• Error handling must not reveal sensitive information
• Default deny approach to access control
• Applications should terminate securely when resources are unavailable

Economy of Mechanism

• Security mechanisms should be as simple as possible
• Complex security controls are more prone to errors
• Minimization of attack surface
• Avoid unnecessary features that increase security risk

Complete Mediation

• Every access to resources must be checked for authorization
• No caching of security decisions for extended periods
• Re-authentication for sensitive operations
• Consistent application of security controls across all paths

Least Privilege

• Components should operate with minimal privileges needed
• Privilege separation between different parts of the application
• Temporary privilege elevation only when necessary
• Drop privileges as soon as they are no longer needed

Language-Specific Secure Coding Standards

Our organization follows language-specific secure coding standards based on industry best practices:

• Java: Oracle Secure Coding Guidelines for Java SE
• C/C++: SEI CERT C/C++ Coding Standards
• JavaScript: OWASP JavaScript Security Guidelines
• Python: Python Security Best Practices
• C#/.NET: Microsoft Security Coding Guidelines

Common Vulnerability Prevention

Input Validation and Output Encoding

• All input must be validated for type, length, format, and range
• Input validation must occur on the server side
• Context-appropriate output encoding must be applied
• Sanitization libraries must be used consistently
• Don't rely on client-side validation alone

SQL Injection Prevention

• Parameterized queries or prepared statements must be used
• Object-Relational Mapping (ORM) frameworks should be used correctly
• Dynamic SQL should be avoided when possible
• Stored procedures should be used with proper parameterization
• Database accounts should have minimal privileges

Cross-Site Scripting (XSS) Prevention

• Output encoding based on the context (HTML, JavaScript, CSS, URL)
• Content Security Policy (CSP) implementation
• Input validation for all user-controllable data
• Use of modern frameworks with built-in XSS protection
• XSS mitigation testing

Cross-Site Request Forgery (CSRF) Prevention

• Anti-CSRF tokens must be implemented for state-changing operations
• SameSite cookie attributes should be used
• Proper validation of request origin
• Requiring re-authentication for sensitive operations
• CSRF protection testing

Security Misconfiguration Prevention

• Secure default configurations must be established
• Removal of unnecessary features and components
• Security hardening guidelines must be followed
• Regular security configuration reviews
• Automated configuration validation

Sensitive Data Exposure Prevention

• Encryption of sensitive data in transit and at rest
• Proper key management procedures
• Minimal data retention
• Secure credential storage using strong hashing
• Secure logging practices (no sensitive data in logs)

Broken Authentication Prevention

• Implementation of strong authentication controls
• Secure session management
• Account lockout mechanisms
• Secure password recovery
• Multi-factor authentication for sensitive operations

Insecure Deserialization Prevention

• Avoid deserializing untrusted data when possible
• Implement integrity checks and type constraints
• Run deserialization code with minimal privileges
• Monitor deserialization exceptions and failures
• Use safer data formats (JSON, XML) with security controls

Memory Safety (for applicable languages)

• Buffer overflow prevention controls
• Use of memory-safe functions and constructs
• Avoidance of dangerous functions
• Proper memory allocation and deallocation
• Bounds checking for all array operations

Secure Coding Practices in SDLC

Requirements Phase

• Security requirements must be defined
• Threat modeling should be performed
• Security stories must be included in backlog
• Abuse cases should be documented

Design Phase

• Security design reviews must be conducted
• Security patterns should be employed
• Attack surface should be minimized
• Defense mechanisms should be designed in

Implementation Phase

• Secure coding standards must be followed
• Security-focused code reviews must be performed
• Static application security testing (SAST) must be integrated
• Security unit tests should be written

Testing Phase

• Dynamic application security testing (DAST) must be performed
• Penetration testing for critical applications
• Security regression testing
• Test cases for identified security requirements

Deployment Phase

• Secure configuration verification
• Security scanning in pre-production
• Secure deployment procedures
• Monitoring for security issues

Definition of Done Criteria

For secure coding to meet the Definition of Done, the following criteria must be satisfied:

• Code complies with secure coding standards for the relevant language
• Static application security testing has been performed with no critical or high issues
• Security-focused code review has been completed
• Common vulnerability prevention measures have been implemented
• Security unit tests are in place for security-critical functions
• No security requirements have been deferred
• No known security issues exist without appropriate mitigations

References

• OWASP Top 10
• OWASP Secure Coding Practices Quick Reference Guide
• SANS Top 25 Most Dangerous Software Errors
• CERT Secure Coding Standards

Related Documents

• Security Standards
• Security Testing
• Code Review Guidelines
• Security Best Practices