Security Basics

About

This page is meant to be as an starting point for security in development, for developers with little or no experience at all with secure development and good security practices in development.

Awareness

Every year vulnerabilities tend to grow in numbers () as well as weakness in code ().

Lots of enterprises are more aware about security in their software, ransomware groups and attacks are pretty common every single day, automated scannners for common vulnerabilities run by bad actors...

The are lots of reasons to take security seriously as a developer. Just take a Raspberry Pi (or other similar device) or spin up a VM in a cloud service, and open SSH port on port 22 publicly... You will be shocked with the number of attempts to login to your device...

Then have a look to some of this visualization tools:

• offers where you can see an instant overview of internet insights (some regarding security and attacks).

• The provides

• offers where you can see attacks in real time, as well as attacks on the day of visit (tends to grow to millions a day).

• offers , a realtime CyberTheat map.

• offers worth to check out.

• offers , its own cyber threat real-time map.

• also offers .

• And lots of other tools:

Search news for data breaches, security incidents, ransomware attacks.

Are you more concerned now?

Great. Let's improve this situation...

Secure Coding Practices

This checklist covers the following points:

From the last bullet point, make sure you are following this coding practices:

• Use tested and approved managed code rather than creating new unmanaged code for common tasks.

• Utilize task specific built-in APIs to conduct operating system tasks. Do not allow the application to issue commands directly to the Operating System, especially through the use of application initiated command shells.

• Utilize locking to prevent multiple simultaneous requests or use a synchronization mechanism to prevent race conditions.

• Protect shared variables and resources from inappropriate concurrent access.

• Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

• In cases where the application must run with elevated privileges, raise privileges as late as possible, and drop them as soon as possible.

• Avoid calculation errors by understanding your programming language's underlying representation.

• Do not pass user supplied data to any dynamic execution function.

• Restrict users from generating new code or altering existing code.

• Review all secondary applications, third party code and libraries to determine business necessity and validate safe functionality.

• Implement safe updating using encrypted channels.

Getting some help

You don't have to do all of this without help!

Look for professionals, professional enterprise ready tools and solutions. awesome OSS projects and others in other sections of this page...