101 Great Ways to Write Secure Code

Writing secure code isn’t a one-time task; it’s a mindset and a continuous practice. Integrate these tips into your development workflow to build more robust and resilient applications.

I. Foundational Principles & Mindset

1. Assume Malice: Always consider how an attacker might misuse your code.
2. Principle of Least Privilege: Grant only the minimum necessary permissions to users, processes, and components.
3. Defense in Depth: Employ multiple layers of security controls.
4. Secure by Design: Integrate security from the very beginning of the software development lifecycle (SDLC).
5. Fail Securely: When an error occurs, the system should default to a secure state (e.g., deny access).
6. Don’t Roll Your Own Crypto: Use well-vetted, standard cryptographic libraries.
7. Keep It Simple: Simpler code is generally easier to secure and audit.
8. Minimize Attack Surface: Reduce the number of open ports, services, and accessible code.
9. Never Trust User Input: Validate, sanitize, and escape all data received from external sources.
10. Segregation of Duties: Separate responsibilities to prevent a single point of compromise.
11. Understand Your Threat Model: Identify potential threats and vulnerabilities specific to your application.
12. Continuous Learning: Stay updated on new vulnerabilities and security best practices.
13. Automate Security Testing: Integrate static and dynamic analysis into your CI/CD pipeline.
14. Document Security Decisions: Keep a record of security considerations and implementations.
15. Peer Review & Code Audit: Have others review your code for security flaws.

II. Input Validation & Data Handling

16. Whitelisting over Blacklisting: Allow only known good input, rather than trying to block known bad input.
17. Validate All Input: Check data types, lengths, formats, and ranges.
18. Server-Side Validation: Never rely solely on client-side validation; always re-validate on the server.
19. Contextual Output Encoding: Encode output based on the context (HTML, URL, JavaScript, SQL) to prevent injection.
20. Parameterized Queries: Use prepared statements for all database interactions to prevent SQL Injection.
21. Escape All Output: Before rendering user-supplied data, escape it properly.
22. Limit Input Size: Prevent buffer overflows and excessive resource consumption.
23. Reject Invalid Input: Don’t try to “fix” bad input; reject it and log the attempt.
24. Sanitize HTML: Use a robust library to sanitize user-provided HTML, removing dangerous tags/attributes.
25. File Upload Validation: Verify file type, size, content, and scan for malware. Store uploaded files outside the web root.

III. Authentication & Authorization

26. Strong Password Policy: Enforce complexity, length, and history requirements for passwords.
27. Hash Passwords Securely: Use strong, salted, adaptive hashing functions (e.g., bcrypt, Argon2, scrypt). Never store plain text passwords.
28. Don’t Store Secrets in Code: Avoid hardcoding API keys, database credentials, etc., in source code.
29. Use Multi-Factor Authentication (MFA): Implement MFA for sensitive accounts.
30. Implement Account Lockout: Prevent brute-force attacks after a number of failed login attempts.
31. Rate Limit Authentication Attempts: Slow down repeated login attempts.
32. Secure Session Management: Use secure, short-lived session IDs.
33. Regenerate Session IDs on Login/Privilege Change: Prevent session fixation.
34. Expire Sessions Properly: Implement idle and absolute session timeouts.
35. Require Re-authentication for Sensitive Actions: Prompt users to confirm their identity for critical operations.
36. Role-Based Access Control (RBAC): Define roles and assign permissions based on those roles.
37. Least Privilege for Users: Grant only necessary access to individual users.
38. Check Authorization on Every Request: Don’t rely on client-side checks; always verify on the server.
39. Don’t Expose Sensitive Data in Tokens: Avoid putting PII or secret data directly into JWTs.
40. Use Secure Cookies: Set HttpOnly, Secure, and SameSite flags.

IV. Error Handling & Logging

41. Don’t Leak Information in Error Messages: Generic error messages prevent attackers from gaining insights into your system.
42. Log Security Events: Record successful/failed logins, access to sensitive data, and attempted attacks.
43. Implement Centralized Logging: Consolidate logs for easier monitoring and analysis.
44. Protect Log Files: Ensure logs are not publicly accessible and are tamper-proof.
45. Rotate and Archive Logs: Manage log file sizes and retention policies.
46. Use Specific Exception Handling: Catch specific exceptions instead of broad ones.
47. Never Put Passwords or Sensitive Data in Logs: Sanitize logs of PII and credentials.
48. Alert on Suspicious Activity: Set up monitoring and alerting for unusual log patterns.
49. Handle All Possible Errors: Don’t leave unhandled exceptions that could expose data.
50. Graceful Degradation: Ensure your application degrades gracefully under attack or error conditions.

V. API Security

51. Authenticate All API Endpoints: Every API call should be authenticated and authorized.
52. Use HTTPS for All API Communication: Encrypt data in transit.
53. Implement API Gateways: For centralized security, rate limiting, and traffic management.
54. Validate API Input/Output Schemas: Ensure data conforms to expected formats.
55. Rate Limit API Calls: Prevent abuse and denial-of-service attacks.
56. Use API Versioning: Allows for backward compatibility when making security changes.
57. Don’t Expose Internal Implementation Details: Keep API responses lean and external-facing.
58. Implement API Key Management: Securely manage API keys, allowing revocation and rotation.
59. Consider OAuth 2.0/OpenID Connect: For robust delegation of access and identity.
60. Protect Against Mass Assignment: Explicitly define which attributes can be updated via API.

VI. Database Security

61. Principle of Least Privilege for Database Users: Database accounts should only have necessary permissions.
62. Encrypt Sensitive Data at Rest: For highly sensitive information (e.g., credit card numbers).
63. Separate Database User Accounts: Use different credentials for different applications/services.
64. Regularly Patch Database Software: Apply security updates promptly.
65. Disable Unnecessary Database Features: Reduce the attack surface.
66. Monitor Database Activity: Track access and modifications.
67. Backup Data Securely: Encrypt backups and store them in secure locations.
68. Avoid Storing Sensitive Data Unnecessarily: If you don’t need it, don’t store it.
69. Implement Row-Level Security: For fine-grained access control within tables.
70. Audit Database Changes: Track who made what changes and when.

VII. Dependency & Infrastructure Security

71. Keep Libraries & Frameworks Updated: Regularly patch third-party components to address known vulnerabilities.
72. Use Software Composition Analysis (SCA) Tools: To identify vulnerable dependencies automatically.
73. Understand Your Dependencies: Know what code you’re pulling into your project.
74. Use Content Security Policy (CSP): Mitigate XSS by controlling where resources can be loaded from.
75. Implement Subresource Integrity (SRI): For external scripts and stylesheets to ensure they haven’t been tampered with.
76. Scan Docker Images: For known vulnerabilities before deployment.
77. Harden Your OS/Containers: Remove unnecessary software, services, and users.
78. Use Secure Configuration Management: Automate secure configuration of servers and services.
79. Disable Unnecessary Services: Close unneeded ports.
80. Regularly Scan for Open Ports: Ensure only intended services are exposed.

VIII. Code Quality & Best Practices

81. Avoid eval(): It’s a common source of code injection vulnerabilities.
82. Be Wary of Deserialization: Untrusted deserialization can lead to remote code execution.
83. Prevent Directory Traversal: Sanitize file paths before using them.
84. Guard Against XML External Entity (XXE) Attacks: Disable DTDs and external entities in XML parsers.
85. Manage Memory Securely: Prevent buffer overflows, use-after-free, and other memory corruption issues (especially in C/C++).
86. Use Static Analysis (SAST) Tools: Identify security flaws early in the development cycle.
87. Use Dynamic Analysis (DAST) Tools: Test for vulnerabilities in running applications.
88. Implement Security Headers: (e.g., X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security).
89. Remove Dead Code: Unused code can harbor vulnerabilities.
90. Don’t Suppress Warnings/Errors: Investigate security-related warnings.
91. Consider Least Functionality: Only include necessary features.
92. Use HTTPS Everywhere: Enforce encrypted communication for all traffic.
93. Understand Your Language’s Security Quirks: Be aware of common pitfalls in your chosen programming language.
94. Avoid Hardcoded Paths/Credentials: Use configuration files or environment variables.
95. Don’t Implement Business Logic on the Client-Side: It can be easily bypassed.

IX. Advanced & Operational Security

96. Regular Security Training: Educate your development team on secure coding practices.
97. Conduct Penetration Testing: Hire ethical hackers to find vulnerabilities.
98. Establish an Incident Response Plan: Know how to react when a breach occurs.
99. Implement Software Supply Chain Security: Secure your entire software delivery pipeline.
100. Practice Immutable Infrastructure: Treat servers as disposable; rebuild rather than patch.
101. Embrace a Security Culture: Make security everyone’s responsibility, not just a security team’s.

This list provides a robust starting point for developing a secure coding mindset and practices. Remember, security is an ongoing journey, not a destination.