SlideShare a Scribd company logo

Secure coding guidelines

Download as PPTX, PDF
Sathyanarayana Panduranga
Sathyanarayana Panduranga

Review of OWASP security guidelines.

Software
1 of 9
Secure Coding
Injection Prevention Rules • Rule #1 (Perform proper input validation): Perform proper input validation. Positive or “whitelist” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input. • Rule #2 (Use a safe API): The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood. • Rule #3 (Contextually escape user data): If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. • Further reading: https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet
Authentication Rules • Implement Proper Password Strength Controls • Implement Secure Password Recovery Mechanism • Store Passwords in a Secure Fashion • Transmit Passwords Only Over TLS or Other Strong Transport • Require Re-authentication for Sensitive Features • An application should respond with a generic error message regardless of whether the user ID or password was incorrect. • Prevent Brute-Force Attacks by disabling user account after multiple failed logins. • Enable logging and monitoring of authentication functions to detect attacks • Further reading: https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Sensitive Data Rules • Classify data processed, stored or transmitted by application. • Identify which data is sensitive according to laws, regulation and business needs. • Dont store sensitive data unnecessarily. Data that is not retained cannot be stolen. • Make sure to encrypt sensitive data at rest. • Encrypt all data in transit with secure protocols like TLS • Disable caching for responses which contain sensitive data. • Further reading: http://cwe.mitre.org/data/definitions/312.html
Access Control Rules • Divide the software into anonymous, normal, privileged, and administrative areas. Carefully map roles with data and functionality. • Ensure that you perform access control checks related to your business logic. • Consider using authorization frameworks such as the JAAS Authorization Framework. • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. • Use the access control capabilities of your operating system and server environment. • Further reading: https://cwe.mitre.org/data/definitions/285.html
XSS Prevention Rules
Secure coding guidelines

Recommended

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 

Recommended

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningPriyanka Aash
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Serverless Security Checklist
Serverless Security ChecklistServerless Security Checklist
Serverless Security ChecklistSimform
 
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...apidays
 

More Related Content

What's hot

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningPriyanka Aash
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 

What's hot (19)

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Security testing
Security testingSecurity testing
Security testing
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine Learning
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Web attacks
Web attacksWeb attacks
Web attacks
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 

Similar to Secure coding guidelines

Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Serverless Security Checklist
Serverless Security ChecklistServerless Security Checklist
Serverless Security ChecklistSimform
 
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...apidays
 
OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?Boy Baukema
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security ChampionsPetraVukmirovic
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingdcervigni
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 
Hipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associatesHipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associatesShoba Krishnamurthy
 

Similar to Secure coding guidelines (20)

Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Serverless Security Checklist
Serverless Security ChecklistServerless Security Checklist
Serverless Security Checklist
 
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...
APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahu...
 
OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and logging
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Java zone ASVS 2015
Java zone ASVS 2015Java zone ASVS 2015
Java zone ASVS 2015
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Security testing
Security testingSecurity testing
Security testing
 
Owasp v8 analysis
Owasp v8 analysisOwasp v8 analysis
Owasp v8 analysis
 
Hipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associatesHipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associates
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 

Recently uploaded

办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Recently uploaded (20)

办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

Secure coding guidelines

  • 2.
  • 3.
  • 4. Injection Prevention Rules • Rule #1 (Perform proper input validation): Perform proper input validation. Positive or “whitelist” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input. • Rule #2 (Use a safe API): The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood. • Rule #3 (Contextually escape user data): If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. • Further reading: https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet
  • 5. Authentication Rules • Implement Proper Password Strength Controls • Implement Secure Password Recovery Mechanism • Store Passwords in a Secure Fashion • Transmit Passwords Only Over TLS or Other Strong Transport • Require Re-authentication for Sensitive Features • An application should respond with a generic error message regardless of whether the user ID or password was incorrect. • Prevent Brute-Force Attacks by disabling user account after multiple failed logins. • Enable logging and monitoring of authentication functions to detect attacks • Further reading: https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 6. Sensitive Data Rules • Classify data processed, stored or transmitted by application. • Identify which data is sensitive according to laws, regulation and business needs. • Dont store sensitive data unnecessarily. Data that is not retained cannot be stolen. • Make sure to encrypt sensitive data at rest. • Encrypt all data in transit with secure protocols like TLS • Disable caching for responses which contain sensitive data. • Further reading: http://cwe.mitre.org/data/definitions/312.html
  • 7. Access Control Rules • Divide the software into anonymous, normal, privileged, and administrative areas. Carefully map roles with data and functionality. • Ensure that you perform access control checks related to your business logic. • Consider using authorization frameworks such as the JAAS Authorization Framework. • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. • Use the access control capabilities of your operating system and server environment. • Further reading: https://cwe.mitre.org/data/definitions/285.html