SlideShare a Scribd company logo

Secure coding practices

Download as PPTX, PDF
M
Mohammed Danish Amber

Secure Coding Practices - PHP. How to safe gaurd your application from CSRF, Session Hijacking, SQLi

Internet
1 of 12
SECURE CODING PRACTICES BY – MOHAMMED DANISH AMBER
ABOUT ME • Mohammed Danish Amber • Web Application & Database Security Administrator • CEH & CHFI Certified • N|u Hyderabad Chapter Core Member
GUIDE OVERVIEW • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language
CHECKLIST • Data Validation • Authentication and Password Management • Authorization and Access Management • Session Management • Sensitive Information Storage or Transmission • System Configuration Management • General Coding Practices • Database Security • File Management • Memory Management
CHECKLIST PRACTICES • Short and to the point. • Straight forward "do this" or "don't do that" • Does not attempt to rank the practices • Some practices are conditional recommendations that depend on the criticality of the system or information • The security implications of not following any of the practices that apply to the application, should be clearly understood
EXTRACT - DATABASE SECURITY • Use strongly typed parameterized queries. Parameterized queries keep the query and data separate through the use of placeholders. The query structure is defined with place holders and then the application specifies the contents of each placeholder. • Utilize input validation and if validation fails, do not run the database command. • Ensure that variables are strongly typed. • Escape meta characters in SQL statements. • The application should use the lowest possible level of privilege when accessing the database. • Use secure credentials for database access. • Do not provide connection strings or credentials directly to the client. If this is unavoidable, encrypted them. • Use stored procedures to abstract data access. • Turn off any database functionality (e.g., unnecessary stored procedures or services). • Eliminate default content. • Disable any default accounts that are not required to support business requirements. • Close the connection as soon as possible. • The application should connect to the database with different credentials for every trust distinction (e.g., user, read-only user, guest, administrators).
DEVELOPING GUIDANCE DOCUMENTS Security Policy GUIDING PRINCIPLES Application Security Procedures What to Do Application Security Coding Standards How to do it
SUPPORT SECURE DEVELOPMENT LIFECYCLE •Review Solutions•Test Solution Implementation •Application Development Practices •Standardized Libraries •Standard Guidance for non-Library Solutions •Application Security Requirements What to do How you should do it What you did Did it work
CONTRACTED DEVELOPMENT • Identify security requirements to be added to outsourced software development projects. • Include them in the RFP and Contract I NEED COOL SOFTWARE CUSTOMER We can build anything SALESMAN How do I make it work PROGRAMMER
SUMMARY • Makes it easier for development teams to quickly understand secure coding practices • Assists with defining requirements and adding them to policies and contracts • Provides a context and vocabulary for interactions with security staff • Serves as an easy desk reference
A SECURE DEVELOPMENT FRAMEWORK • Implement a secure software development lifecycle • OWASP CLASP Project • Establish secure coding standards • OWASP Development Guide Project • Build a re-usable object library • OWASP Enterprise Security API (ESAPI) Project • Verify the effectiveness of security controls • OWASP Application Security Verification Standard (ASVS) Project) • Establish secure outsourced development practices including defining security requirements and verification methodologies in both the RFP and contract • OWASP Legal Project
QUESTIONS HACK LEARN SHARE

Recommended

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 

Recommended

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
Designing Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase SecurityDesigning Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase Security
lawmoore
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
Sri Latha
 

More Related Content

What's hot

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 

What's hot (20)

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Secure code
Secure codeSecure code
Secure code
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 

Similar to Secure coding practices

Designing Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase SecurityDesigning Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase Security
lawmoore
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
Sri Latha
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
Mona Rajput
 
Software Engineering Ethics
Software Engineering EthicsSoftware Engineering Ethics
Software Engineering Ethics
Kapil Rajpurohit
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
Techcello
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
Security a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your BusinessSecurity a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your Business
shira koper
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?
OSSCube
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
Mohammed Fazuluddin
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptx
mohedkhadar60
 

Similar to Secure coding practices (20)

Designing Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase SecurityDesigning Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase Security
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
 
Software Engineering Ethics
Software Engineering EthicsSoftware Engineering Ethics
Software Engineering Ethics
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
Security a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your BusinessSecurity a Revenue Center: How Security Can Drive Your Business
Security a Revenue Center: How Security Can Drive Your Business
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptx
 

Recently uploaded

一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 

Recently uploaded (20)

一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 

Secure coding practices

  • 1. SECURE CODING PRACTICES BY – MOHAMMED DANISH AMBER
  • 2. ABOUT ME • Mohammed Danish Amber • Web Application & Database Security Administrator • CEH & CHFI Certified • N|u Hyderabad Chapter Core Member
  • 3. GUIDE OVERVIEW • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language
  • 4. CHECKLIST • Data Validation • Authentication and Password Management • Authorization and Access Management • Session Management • Sensitive Information Storage or Transmission • System Configuration Management • General Coding Practices • Database Security • File Management • Memory Management
  • 5. CHECKLIST PRACTICES • Short and to the point. • Straight forward "do this" or "don't do that" • Does not attempt to rank the practices • Some practices are conditional recommendations that depend on the criticality of the system or information • The security implications of not following any of the practices that apply to the application, should be clearly understood
  • 6. EXTRACT - DATABASE SECURITY • Use strongly typed parameterized queries. Parameterized queries keep the query and data separate through the use of placeholders. The query structure is defined with place holders and then the application specifies the contents of each placeholder. • Utilize input validation and if validation fails, do not run the database command. • Ensure that variables are strongly typed. • Escape meta characters in SQL statements. • The application should use the lowest possible level of privilege when accessing the database. • Use secure credentials for database access. • Do not provide connection strings or credentials directly to the client. If this is unavoidable, encrypted them. • Use stored procedures to abstract data access. • Turn off any database functionality (e.g., unnecessary stored procedures or services). • Eliminate default content. • Disable any default accounts that are not required to support business requirements. • Close the connection as soon as possible. • The application should connect to the database with different credentials for every trust distinction (e.g., user, read-only user, guest, administrators).
  • 8. SUPPORT SECURE DEVELOPMENT LIFECYCLE •Review Solutions•Test Solution Implementation •Application Development Practices •Standardized Libraries •Standard Guidance for non-Library Solutions •Application Security Requirements What to do How you should do it What you did Did it work
  • 9. CONTRACTED DEVELOPMENT • Identify security requirements to be added to outsourced software development projects. • Include them in the RFP and Contract I NEED COOL SOFTWARE CUSTOMER We can build anything SALESMAN How do I make it work PROGRAMMER
  • 10. SUMMARY • Makes it easier for development teams to quickly understand secure coding practices • Assists with defining requirements and adding them to policies and contracts • Provides a context and vocabulary for interactions with security staff • Serves as an easy desk reference
  • 11. A SECURE DEVELOPMENT FRAMEWORK • Implement a secure software development lifecycle • OWASP CLASP Project • Establish secure coding standards • OWASP Development Guide Project • Build a re-usable object library • OWASP Enterprise Security API (ESAPI) Project • Verify the effectiveness of security controls • OWASP Application Security Verification Standard (ASVS) Project) • Establish secure outsourced development practices including defining security requirements and verification methodologies in both the RFP and contract • OWASP Legal Project