Secure Coding Guide
Table of Contents
Secure Coding Principles
Core Principles
Key Security Principles:
- Defense in Depth
- Least Privilege
- Fail Secure
- Complete Mediation
- Input Validation
- Security by Design
Common Vulnerabilities
OWASP Top 10
| Vulnerability |
Description |
Prevention |
| Injection |
SQL, NoSQL, OS injection |
Use parameterized queries |
| Broken Authentication |
Session management flaws |
Implement secure session handling |
| XSS |
Cross-site scripting |
Output encoding, input validation |
| CSRF |
Cross-site request forgery |
Use anti-CSRF tokens |
Best Practices
Input Handling
// Bad practice - Direct use of input
String query = "SELECT * FROM users WHERE id = " + userId;
// Good practice - Parameterized query
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");
stmt.setString(1, userId);
// Bad practice - Command injection vulnerability
Runtime.getRuntime().exec("ls " + userInput);
// Good practice - Input validation and sanitization
if (!isValidFilename(userInput)) {
throw new SecurityException("Invalid filename");
}
Error Handling
try {
// Sensitive operation
} catch (Exception e) {
// Good practice - Log securely, return generic message
logger.error("Operation failed: " + e.getMessage());
return "An error occurred. Please contact support.";
}
Input Validation
Validation Strategies
Input Validation Approaches:
- Whitelisting
- Regular expressions
- Type checking
- Range validation
- Format validation
Validation Examples
// Regular expression validation
public boolean isValidEmail(String email) {
String regex = "^[A-Za-z0-9+_.-]+@(.+)$";
return email.matches(regex);
}
// Range validation
public boolean isValidAge(int age) {
return age >= 0 && age <= 120;
}
// Format validation
public boolean isValidDate(String date) {
try {
LocalDate.parse(date, DateTimeFormatter.ISO_DATE);
return true;
} catch (DateTimeParseException e) {
return false;
}
}
Authentication and Authorization
Password Security
// Password hashing example
String hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt(12));
// Password verification
boolean isValid = BCrypt.checkpw(inputPassword, hashedPassword);
// Session management
session.setAttribute("user_id", userId);
session.setMaxInactiveInterval(1800); // 30 minutes
Authorization Controls
Authorization Checks:
- Role-based access control
- Resource-level permissions
- Action-based authorization
- Data-level access control
Cryptography
Encryption Best Practices
// AES encryption example
public static byte[] encrypt(String plainText, SecretKey key) {
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] cipherText = cipher.doFinal(plainText.getBytes());
return cipherText;
}
// Key generation
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // Use appropriate key size
SecretKey key = keyGen.generateKey();
Security Testing
Testing Approaches
- Static Analysis (SAST)
- Dynamic Analysis (DAST)
- Interactive Analysis (IAST)
- Dependency Scanning
- Penetration Testing
Security Testing Tools
| Tool Type |
Examples |
Use Cases |
| SAST |
SonarQube, Fortify |
Code analysis |
| DAST |
OWASP ZAP, Burp Suite |
Runtime testing |
| Dependency Scanner |
OWASP Dependency-Check |
Vulnerability scanning |
Testing Checklist:
- Input validation testing
- Authentication testing
- Authorization testing
- Session management testing
- Error handling testing
- Cryptography testing
- Business logic testing