Secure Coding Practices

🌟🌟
🚀🚀
● OWASP Based Checklist
● 200+ Test Cases

Contents
1. Input Validation..........................................................................................................................................................2

2. Output Encoding.....................................................................................................................................................6

3. Authentication and Password Management.......................................................................................8

4. Session Management.........................................................................................................................................16

5. Access Control.........................................................................................................................................................20

6. Cryptographic Practices...................................................................................................................................26

7. Error Handling and Logging......................................................................................................................... 28

8. Data Protection......................................................................................................................................................34

9. Communication Security................................................................................................................................ 38

10. System Configuration....................................................................................................................................... 41

11. Database Security................................................................................................................................................46

12. File Management................................................................................................................................................. 51

13. Memory Management.....................................................................................................................................55

14. General Coding Practices.............................................................................................................................. 58

15. Glossary......................................................................................................................................................................64
1. Input Validation

The "Input validation" section in your Secure Coding Practices checklist involves
measures to ensure that data coming into your application is safe and free from
potential security risks. It includes practices like conducting validation on trusted
systems, distinguishing between trusted and untrusted data sources, specifying
character sets, validating data types, lengths, and ranges, and being cautious about
potentially hazardous characters. The goal is to prevent malicious data from entering
your application and to handle it safely if it must be allowed. These practices help
safeguard against common security vulnerabilities, such as injection attacks, by
ensuring that only well-formed, expected, and safe data is processed.

No Test Case Scenario Example

1.1 Conduct all Ensure that all data When a user submits a form,
data validation validation is performed the server checks the input
on a trusted on the server, not on data for validity and rejects it
system the client side. This if it doesn't meet the criteria.
prevents validation Client-side JavaScript should
rules from being not be relied upon for
bypassed by validation.
manipulating
client-side code.

1.2 Identify all data Classify data sources as When processing data from
sources and trusted (e.g., internal user-submitted forms and
classify them databases) or external APIs, ensure that all
untrusted (e.g., user input is thoroughly validated,
input, external APIs). regardless of its source.
Validate all data from
untrusted sources to
prevent malicious
input.

1.3 Centralized Implement a Create a single validation

input validation centralized input function that is called for all
routine validation routine to user input, ensuring that
ensure consistent and every input is consistently
thorough validation validated according to
across the application. predefined rules.

2
https://www.linkedin.com/in/hariprasaanth/
1.4 Specify proper Define a consistent Ensure that all data,
character sets character set, such as regardless of its source, is
UTF-8, for all sources of consistently encoded using
input to avoid UTF-8 to prevent
encoding mismatches encoding-related issues.
and potential security
vulnerabilities.

1.5 Encode data to Convert data to a Before validating user input,

a common common character set convert it to UTF-8 to
character set (e.g., UTF-8) before standardize character
validation to ensure encoding.
consistent handling
and prevent
encoding-based
attacks.

1.6 All validation Upon validation failure, If a user submits invalid

failures result in reject the input and input, the system should
input rejection prevent further reject it and not proceed with
processing. This any further actions.
prevents malicious
data from entering the
system.

1.7 Determine Determine if the If the application supports

system support system supports UTF-8 extended character sets,
for UTF-8 extended character ensure that validation occurs
extended sets. If supported, after decoding, addressing
character sets validate input after potential encoding-related
UTF-8 decoding is vulnerabilities.
completed.

1.8 Validate all Validate all input from When processing data from
client-provided the client, including client-side sources, such as
data parameters, URLs, form submissions and HTTP
HTTP headers, and headers, validate it rigorously
automated postbacks, to avoid code injection
to prevent malicious vulnerabilities.
code injection.

3
https://www.linkedin.com/in/hariprasaanth/
1.9 Verify header Ensure that header Check that header values are
values contain values in both requests limited to ASCII characters to
only ASCII and responses contain prevent security issues
characters only ASCII characters to stemming from character
prevent potential encoding variations.
attacks exploiting
character encoding
differences.

1.10 Validate data Validate data from When handling data from
from redirects redirects to prevent redirects, ensure that it is
malicious content from validated to prevent security
being directly bypasses.
submitted to the
redirect target,
bypassing application
logic.

1.11 Validate for Verify that input Check that input is of the
expected data matches the expected correct data type to avoid
types data type, such as errors and security issues
integer, string, or date, caused by data type
to prevent type-related mismatches.
errors and potential
vulnerabilities.

1.12 Validate data Check that input Ensure that input values are
range values fall within the within specified ranges to
expected range to prevent security issues
prevent overflow or related to data overflow or
underflow conditions underflow.
that could lead to
vulnerabilities.

1.13 Validate data Limit the length of Restrict the length of input
length input to prevent buffer data to mitigate security risks
overflows and other associated with buffer
length-based attacks. overflows and other
length-based vulnerabilities.

4
https://www.linkedin.com/in/hariprasaanth/
1.14 Validate all Whenever possible, Ensure that input is validated
input against a validate input against a against a predefined whitelist
"white" list whitelist of allowed of permissible characters to
characters to restrict minimize security risks.
the range of
acceptable input and
prevent malicious code
injection.

1.15 Handle If potentially hazardous If your application requires

hazardous characters must be the use of hazardous
characters < > " ' allowed as input, characters, apply additional
%()&+\'" implement additional security measures like output
controls like output encoding and secure APIs to
encoding and secure mitigate potential risks.
APIs.

1.16 Check specific If standard validation If standard validation doesn't

inputs fails, check for specific catch certain inputs, inspect
problematic for problematic characters
characters, including like null bytes, new line
null bytes (%00), new characters, path alteration
line characters (%0d, sequences, or alternate
%0a, \r, \n), path encodings of hazardous
alteration characters (.. / characters.
or ..), and alternate
representations of
hazardous characters.

5
https://www.linkedin.com/in/hariprasaanth/
2. Output Encoding

The "output encoding" section in your Secure Coding Practices checklist focuses on
ensuring that data leaving your application is secure and properly formatted. It involves
practices such as conducting encoding on trusted systems, utilizing established
encoding routines, and contextually encoding or sanitizing data before returning it to
clients. This helps prevent security vulnerabilities by ensuring that all data is presented
in a safe and well-structured manner, especially when it originated from untrusted
sources. Proper output encoding safeguards against issues like cross-site scripting
(XSS) and injection attacks by ensuring that data is correctly processed for the
intended interpreter and presentation medium.

No Test Case Scenario Example

2.1 Conduct all Ensure that all When generating HTML for
encoding on a encoding of output a web page, the server
trusted system data is performed on should encode special
the server, not on the characters to prevent
client side, to prevent cross-site scripting (XSS)
tampering and security vulnerabilities.
vulnerabilities.

2.2 Utilize a Employ well-tested and Use a trusted library or

standard, standardized encoding built-in functions for
tested routine routines for different encoding data, such as
for each type of data types, such as HTML entity encoding for
outbound HTML entity encoding, web content.
encoding to ensure consistent
and secure encoding.

2.3 Contextually Apply output encoding When displaying

output encode to all data that user-generated content on a
all data originates outside the web page, use HTML entity
returned to the application's trust encoding to prevent HTML
client boundary and is injection.
returned to the client.
Use appropriate
encoding based on the
context.

6
https://www.linkedin.com/in/hariprasaanth/
2.4 Encode all Encode all characters in Encode special characters
characters output data unless they like "<" and ">" in
unless they are are explicitly known to user-generated content to
known to be be safe for the intended prevent XSS attacks.
safe interpreter to prevent
malicious code
injection or data
manipulation.

2.5 Contextually Sanitize all output of When constructing an SQL

sanitize output untrusted data to query from user input,
of untrusted prevent injection sanitize the input to prevent
data to queries attacks in queries for SQL injection, ensuring that
SQL, XML, and LDAP. the user input doesn't
Apply contextual contain harmful SQL
sanitation based on the commands.
query type.

2.6 Sanitize output Sanitize all output of When executing shell

of untrusted untrusted data before commands with user input,
data to incorporating it into sanitize the input to ensure
operating operating system that it doesn't contain
system commands to prevent harmful commands that
commands malicious code could compromise the
execution or system system.
compromise.

7
https://www.linkedin.com/in/hariprasaanth/
3. Authentication and Password Management

"Authentication and Password Management" focuses on ensuring secure access to

your application. It includes practices like requiring authentication for most resources,
using standard authentication services, securely storing and handling passwords,
enforcing password complexity and reset policies, and monitoring for suspicious
activities. The goal is to protect user accounts, data, and sensitive functions by
implementing strong authentication and password management practices, ultimately
safeguarding against unauthorized access and security breaches.

No Test Case Scenario Example

3.1 Require Ensure that All users accessing the

authentication authentication is application should be
for all pages required for all pages required to authenticate
and resources and resources, except themselves, except for
those specifically publicly accessible
intended to be public. information like a
homepage.

3.2 Enforce all Implement all Authentication checks

authentication authentication controls should be performed on the
controls on a on the server, not on server to ensure the security
trusted system the client side, to of the process.
prevent tampering with
authentication logic.

3.3 Establish and Utilize established and Implementing

use standard, tested authentication authentication through
tested services whenever widely recognized and
authentication possible, such as tested services like Google
services Google Sign-In or Sign-In enhances security
OAuth, to simplify and user experience.
secure authentication.

8
https://www.linkedin.com/in/hariprasaanth/
3.4 Use a Implement a Authentication should be
centralized centralized handled through a
implementatio authentication centralized system that
n for all mechanism for all manages user credentials
authentication authentication-related and permissions.
controls processes, providing a
single point of control
for managing user
credentials and access
permissions.

3.5 Segregate Separate authentication Authentication processes

authentication logic from the resource should not be mixed with
logic from being requested and resource processing, and
requested use redirection to and redirection to a centralized
resources from the centralized authentication control
authentication control should be used.
to ensure security.

3.6 Ensure secure Authentication controls If authentication fails, the

failure of should fail securely, system should provide a
authentication with responses not generic message like "Invalid
controls revealing which part of username and/or password"
the authentication data without indicating which
was incorrect. part of the authentication
data was incorrect.

3.7 Secure Apply the same level of Administrative actions and

administrative security controls to account management
and account administrative and should have the same level
management account management of security as user
functions functions as to the authentication.
primary authentication
mechanism to ensure
consistent security.

9
https://www.linkedin.com/in/hariprasaanth/
3.8 Secure storage If the application Passwords should be stored
of password manages a credential securely using strong
hashes store, ensure that only hashing algorithms, and
cryptographically access to the storage should
strong one-way salted be tightly controlled.
hashes of passwords
are stored. The table/file
storing the passwords
and keys should be
writable only by the
application.

3.9 Implement Perform password Password hashing should

password hashing on the server, occur on the server to
hashing on a not on the client side, to maintain the security of the
trusted system protect the hashing hashing process.
algorithm and salt
values from exposure.

3.10 Validate Validate the In a multi-step

authentication authentication data authentication process, data
data after all only after all data input should be validated only
data input is complete, especially after all steps are completed.
for sequential
authentication
implementations.

3.11 Secure Authentication failure Error responses in case of

authentication responses should not authentication failure should
failure indicate which part of provide the same message,
responses the authentication data such as "Invalid username
was incorrect. and/or password," without
specifying the exact error.

10
https://www.linkedin.com/in/hariprasaanth/
3.12 Use Utilize authentication When accessing external
authentication for connections to systems with sensitive data,
for external systems ensure that authentication is
connections to involving sensitive required to establish secure
external information or connections.
systems functions.

3.13 Encrypt and Authentication External service credentials

store external credentials for should be securely stored
authentication accessing services and not kept in the
credentials external to the application's source code.
application should be
encrypted and stored in
a protected location on
a trusted system, not in
the source code.

3.14 Use only HTTP Transmit authentication User credentials should be

POST requests credentials using only sent using HTTP POST
for HTTP POST requests to requests to avoid exposing
authentication prevent exposure in them in URLs.
credentials URL parameters, which
can be easily
intercepted.

3.15 Send Only send Non-temporary passwords

non-temporary non-temporary should be transmitted
passwords over passwords over securely to prevent
encrypted encrypted connections eavesdropping.
connections or as encrypted data to
protect them from
interception.

3.16 Enforce Enforce password Passwords should meet

password complexity complexity requirements,
complexity requirements based on such as including alphabetic,
requirements policy or regulations to numeric, and special
enhance password characters.
security.

11
https://www.linkedin.com/in/hariprasaanth/
3.17 Enforce Enforce password Passwords should meet
password length requirements length requirements, which
length based on policy or may include a minimum
requirements regulations to ensure length of eight characters or
stronger passwords. more.

3.18 Obscure Password entry should When users enter

password be obscured on the passwords, the input should
entry on the user's screen, using be masked to prevent visual
user's screen input type "password" observation.
on web forms.

3.19 Enforce Implement account After a specified number of

account disabling after a set failed login attempts, user
disabling after number of invalid login accounts should be
invalid login attempts to deter brute temporarily disabled.
attempts force attacks.

3.20 Secure Password reset and The processes for resetting

password reset change operations and changing passwords
and change should have the same should be as secure as initial
operations level of security controls account creation and
as account creation and authentication.
authentication.

3.21 Use random Password reset Instead of using easily

security questions should guessable questions like
questions support sufficiently "favorite book," use questions
random answers to that have less predictable
enhance security. answers.

3.22 Send reset If using email-based When resetting passwords

information to resets, only send email via email, send reset
pre-registered to pre-registered information only to email
email addresses with a addresses that are
addresses temporary link or pre-registered by the user.
password.

12
https://www.linkedin.com/in/hariprasaanth/
3.23 Set short Temporary passwords Temporary passwords should
expiration and links should have a only be valid for a short
times for short expiration time to period, such as 24 hours.
temporary reduce the risk of
passwords unauthorized access if
they are compromised.

3.24 Enforce Require users to Users should be prompted

changing of change temporary to change temporary
temporary passwords immediately passwords the first time they
passwords on upon first use to log in.
first use prevent prolonged use
of insecure temporary
passwords.

3.25 Notify users of Inform users when a Users should receive

password password reset occurs notifications when their
resets to alert them of passwords are reset to keep
potential unauthorized them informed about
access. security events.

3.26 Prevent Implement Users should be prevented

password mechanisms to from using their old
reuse discourage users from passwords when creating
reusing old passwords new ones.
to promote stronger
and unique passwords.

3.27 Enforce a Implement a delay Users should not be allowed

waiting period between password to change their password
for password creation and the first immediately after creating it.
changes password change to
prevent attackers from
immediately changing
the password.

13
https://www.linkedin.com/in/hariprasaanth/
3.28 Enforce Implement a policy Passwords should be
periodic requiring periodic changed at regular intervals
password password changes, with as specified by the policy.
changes the time between
resets being
administratively
controlled.

3.29 Disable Disable the "remember Users should not be given

"remember me" option for the option to have their
me" password fields, password remembered on
functionality especially on public or public or shared devices.
for password shared devices to
fields enhance security.

3.30 Report last Notify users of the last Users should be aware of the
account successful or last login attempts to detect
activity to unsuccessful login any suspicious activity.
users attempt to keep them
informed about
account activity.

3.31 Implement Monitor and identify The system should detect

monitoring for attacks against multiple and prevent attacks where
multi-account user accounts using the multiple accounts are
attacks same password, a targeted using the same
common pattern used password.
to bypass standard
lockouts.

3.32 Change Change all Vendor-supplied default

default vendor-supplied default credentials should be
passwords and passwords and user IDs replaced or disabled to
user IDs or disable the prevent unauthorized
associated accounts to access.
prevent unauthorized
access.

14
https://www.linkedin.com/in/hariprasaanth/
3.33 Re-authenticat Require users to Users should re-enter their
e users before re-authenticate before credentials before
critical performing critical performing critical
operations operations, adding an operations like changing
extra layer of security account settings.
for sensitive actions.

3.34 Implement Use Multi-Factor For highly sensitive

Multi-Factor Authentication (MFA) accounts, require MFA to
Authentication for highly sensitive or verify the user's identity.
for sensitive high-value transactional
accounts accounts to add an
additional layer of
security.

3.35 Inspect If using third-party code When using third-party

third-party for authentication, authentication code,
authentication inspect the code thoroughly review it to check
code carefully to ensure it is for vulnerabilities or
not affected by any malicious code.
malicious code.

15
https://www.linkedin.com/in/hariprasaanth/
4. Session Management

"Session Management" is all about ensuring secure and well-controlled user sessions
within your application. It involves practices like using trusted session management
controls, setting appropriate timeout periods, disallowing concurrent logins, and
protecting session data from unauthorized access. The primary goal is to safeguard
user sessions from common threats like session hijacking or Cross-Site Request
Forgery (CSRF) by implementing robust session management practices. These
practices help maintain the integrity and security of user sessions while allowing for
smooth and secure interactions with your application.

No Test Case Scenario Example

4.1 Use Server or Utilize the built-in If you're using a web

Framework session management framework like Express.js in
Session provided by your web Node.js, use its session
Management server or framework. management features.
This ensures that your
application recognizes
and uses valid session
identifiers.

4.2 Create Session Generate session When a user logs in, the
Identifiers on a identifiers (like cookies) server generates a unique
Trusted System on the server to session ID and sends it to
prevent tampering. the user's browser.

4.3 Use Secure Choose strong, secure Instead of using a simple

Session algorithms for incremental number, use a
Algorithms generating session cryptographically secure
identifiers. They should random string as the session
be random and identifier.
unpredictable.

4.4 Set Domain Limit where cookies If your site is "example.com,"

and Path for with session IDs can be restrict the cookie's domain
Cookies used by setting their to ".example.com" to prevent
domain and path. it from being used on other
subdomains.

16
https://www.linkedin.com/in/hariprasaanth/
4.5 Properly Ensure that the logout When a user clicks "Logout,"
Terminate function fully their session is invalidated,
Sessions on terminates the user's and they are redirected to
Logout session or connection. the login page.

4.6 Accessible Provide a logout option Include a "Logout" link in the

Logout on all pages protected navigation menu on every
by authorization, so page.
users can easily log out.

4.7 Session Set a short session Automatically log the user

Timeout inactivity timeout, out after 15 minutes of
usually a few hours, to inactivity.
balance security and
user convenience.

4.8 Avoid Do not allow users to Prompt the user to re-enter

Persistent stay logged in their password after a set
Logins indefinitely. Log them time, even if they are actively
out periodically, even using the app.
during an active
session.

4.9 Close Old If a user had a session When a user logs in, their
Session on before login, close that previous session becomes
Login session and create a invalid.
new one after
successful login.

4.10 Generate New Whenever a user When a user updates their

Session re-authenticates (e.g., password, their session ID
Identifier on changing their changes.
Re-authenticati password), generate a
on new session identifier.

4.11 No Concurrent Prevent multiple If a user is already logged in

Logins with the simultaneous logins and tries to log in again from
Same User ID with the same user ID. a different device, the
previous session is
invalidated.

17
https://www.linkedin.com/in/hariprasaanth/
4.12 Hide Session Do not expose session Avoid displaying session IDs
Identifiers identifiers in URLs, in the URL like
error messages, or logs. "example.com?session=123."
Store them securely in
the HTTP cookie
header.

4.13 Protect Implement access Only authorized server-side

Server-Side controls on the server code can access and modify
Session Data to prevent session data.
unauthorized access to
session data by other
users or processes on
the server.

4.14 Rotate Session Periodically generate Every hour, generate a new

Identifiers new session identifiers session ID and invalidate the
and deactivate the old previous one.
ones. This prevents
session hijacking if the
original identifier was
compromised.

4.15 Switch to Change the session If a user logs in via an

HTTPS identifier if the insecure HTTP connection,
connection security generate a new session ID
switches from HTTP to when they switch to a
HTTPS. Maintain HTTPS secure HTTPS connection.
consistently within
your application.

4.16 Use Strong For sensitive When a user requests to

Tokens for server-side actions (e.g., change their password,
Sensitive account management), generate a unique token to
Operations use strong random ensure the request is
tokens or parameters legitimate.
to prevent Cross-Site
Request Forgery
(CSRF) attacks.

18
https://www.linkedin.com/in/hariprasaanth/
4.17 Use Strong For highly sensitive or When processing a financial
Tokens for critical operations, use transaction, generate a
Critical per-request, rather unique token for each step
Operations than per-session, of the transaction.
strong random tokens
or parameters.

4.18 Set "Secure" Mark cookies as Ensure that cookies carrying

Attribute for "secure" when session information are
Cookies transmitted over a TLS marked as "secure" to be
(HTTPS) connection to transmitted only over secure
prevent interception. HTTPS connections.

4.19 Use HttpOnly Set cookies with the Use HttpOnly to prevent
for Cookies HttpOnly attribute client-side scripts from
unless you specifically accessing cookies
need client-side scripts containing sensitive session
to read or set a cookie's information.
value.

19
https://www.linkedin.com/in/hariprasaanth/
5. Access Control

"Access Control" is about ensuring that only authorized users can access specific parts
of your application. This section includes practices such as using trusted system
objects for authorization decisions, enforcing access controls on every request,
segregating privileged logic, and restricting access to files, resources, URLs, functions,
and data. The primary goal is to prevent unauthorized access to sensitive areas of your
application and data by implementing strong access control practices. These practices
help protect your application from security threats, ensuring that users can only access
what they are allowed to and that sensitive information remains secure.

No Test Case Scenario Example

5.1 Use only trusted Use only trusted Access authorization

system objects for system objects, such decisions should be based
access as server-side on information from trusted
authorization session objects, for sources within the
making access application.
authorization
decisions.

5.2 Implement a Use a single Access to resources should

single site-wide site-wide be controlled consistently
component for component to through a central
access check access component.
authorization authorization,
including libraries
that call external
authorization
services.

5.3 Secure failure of Access controls If a user is not authorized to

access controls should fail securely, access a resource, they
ensuring that should not be able to bypass
unauthorized users the access control
cannot gain access mechanism.
to restricted
resources.

20
https://www.linkedin.com/in/hariprasaanth/
5.4 Deny all access if Deny all access if If the application is unable to
security the application access its security
configuration cannot access its configuration, it should
information is security default to denying access.
unavailable configuration
information,
ensuring that
security settings are
enforced even when
configuration data is
inaccessible.

5.5 Enforce Enforce Authorization checks should

authorization authorization be consistently applied to all
controls on every controls on every types of requests.
request request, including
those made by
server-side scripts,
"includes," and
requests from rich
client-side
technologies like
AJAX and Flash.

5.6 Segregate Segregate Critical functionality that

privileged logic privileged logic from requires elevated
from other other application permissions should be
application code code to prevent isolated from regular
unauthorized access application code.
to sensitive
operations.

5.7 Restrict access to Restrict access to Only users with the

files and resources files and resources, appropriate permissions
to authorized users including those should be able to access files
outside the and resources.
application's control,
to only authorized
users.

21
https://www.linkedin.com/in/hariprasaanth/
5.8 Restrict access to Ensure that access Users should be required to
protected URLs to to protected URLs is authenticate before
authorized users restricted to only accessing protected URLs.
authorized users.

5.9 Restrict access to Restrict access to Only users with proper

protected protected functions permissions should be able
functions to to only authorized to execute protected
authorized users users. functions.

5.10 Restrict direct Limit access to Users should not be able to

object references direct object access objects directly if they
to authorized users references to only are not authorized.
authorized users.

5.11 Restrict access to Ensure that access Services should not be

services to to services is accessible to unauthorized
authorized users restricted to only users.
authorized users.

5.12 Restrict access to Limit access to Users should have access

application data to application data to only to the data they are
authorized users only authorized authorized to see or modify.
users.

5.13 Restrict access to Control access to User attributes and sensitive

user and data user and data data should be restricted to
attributes to attributes and policy authorized users.
authorized users information by
authorized users.

5.14 Restrict access to Limit access to Configuration settings

security-relevant security-relevant related to security should
configuration configuration not be accessible to
information information to unauthorized users.
authorized users.

22
https://www.linkedin.com/in/hariprasaanth/
5.15 Ensure consistency Ensure that Access control rules should
between server-side be consistent between
server-side access implementation server-side implementation
control rules and presentation and the presentation layer.
layer
representations of
access control rules
match.

5.16 Use encryption If state data must be State data stored on the
and integrity stored on the client, client side should be
checking for use encryption and encrypted and protected to
client-stored state integrity checking prevent unauthorized
data on the server side to modifications.
prevent tampering.

5.17 Enforce Enforce application Application logic should

compliance with logic flows to adhere to business rules to
business rules in comply with maintain consistency and
application logic business rules, security.
flows ensuring that
application behavior
aligns with business
requirements.

5.18 Limit the number Limit the number of Implement transaction limits
of transactions per transactions a single to prevent abuse by
user or device user or device can automated systems or
perform within a malicious users.
given period to
deter automated
attacks.

5.19 Use the "referer" Use the "referer" The "referer" header can be
header as a header as a used as an additional
supplemental supplemental security measure but should
check check, but not as not be the only means of
the sole authorization.
authorization check,
as it can be spoofed.

23
https://www.linkedin.com/in/hariprasaanth/
5.20 Periodically If long Users with long sessions
re-validate user authenticated should have their
authorization sessions are allowed, authorization periodically
periodically re-validated to ensure that
re-validate a user's their privileges have not
authorization to changed.
ensure their
privileges have not
changed. Log the
user out and force
re-authentication if
necessary.

5.21 Implement Implement account Accounts that are not

account auditing auditing and actively used should be
and disabling of enforce the disabled or removed to
unused accounts disabling of unused maintain security.
accounts, such as
after 30 days from
the expiration of an
account's password.

5.22 Support disabling The application Accounts and sessions

of accounts and must support should be disabled when
session disabling of users no longer have
termination accounts and authorization, such as when
terminating they change roles or leave
sessions when the organization.
authorization
ceases, such as
changes to roles,
employment status,
or business
processes.

24
https://www.linkedin.com/in/hariprasaanth/
5.23 Assign least Service accounts or Service accounts should
privilege to service accounts used for have only the permissions
accounts connections to required for their specific
external systems tasks.
should have the
least privilege
necessary.

5.24 Create an Access Create an Access An Access Control Policy

Control Policy to Control Policy to should outline the access
document access document an requirements for data and
criteria application's system resources, defining
business rules, data who can access what and
types, and access under what conditions.
authorization
criteria or processes
to ensure proper
access provisioning
and control.

25
https://www.linkedin.com/in/hariprasaanth/
6. Cryptographic Practices

The "Cryptographic Practices" section in your Secure Coding Practices checklist

revolves around securing data and secrets through proper cryptographic techniques. It
includes practices like implementing cryptographic functions on trusted systems,
safeguarding master secrets, and ensuring cryptographic modules meet recognized
standards like FIPS 140-3. The primary goal is to protect sensitive information by
applying sound cryptographic principles, such as generating secure random values
and effectively managing cryptographic keys. These practices help guard against data
breaches and unauthorized access to confidential data, enhancing the overall security
of your application.

No Test Case Scenario Example

6.1 Implement All cryptographic Cryptographic operations

cryptographic functions used to should be performed on a
functions on a protect secrets from trusted server rather than on
trusted system the application user the client side to prevent
must be potential security risks.
implemented on a
trusted system, such
as the server.

6.2 Protect master Protect master Sensitive cryptographic keys

secrets from secrets used in and master secrets should
unauthorized cryptographic be securely stored and
access operations from protected against
unauthorized unauthorized access.
access, ensuring
they are not
exposed to potential
attackers.

6.3 Ensure Cryptographic Cryptographic modules

cryptographic modules should fail should be designed to
modules fail securely to prevent handle errors or attacks in a
securely potential security way that doesn't
vulnerabilities in compromise security.
case of errors or
attacks.

26
https://www.linkedin.com/in/hariprasaanth/
6.4 Use approved All random To create unpredictable
random number numbers, random values, use approved
generators for file names, random cryptographic random
un-guessable GUIDs, and random number generators rather
values strings should be than relying on standard
generated using the random functions.
cryptographic
module's approved
random number
generator when
these random
values are intended
to be un-guessable.

6.5 Comply with Cryptographic Cryptographic modules

cryptographic modules used by should meet established
standards the application security standards to ensure
should be compliant their reliability and security.
with standards such
as FIPS 140-3 or an
equivalent standard.

6.6 Implement key Establish and utilize Clearly defined policies and
management a policy and process processes for managing
policies and for how cryptographic keys should
processes cryptographic keys be in place to ensure their
will be managed to proper use and security.
maintain the
security and
integrity of
cryptographic
operations.

27
https://www.linkedin.com/in/hariprasaanth/
7. Error Handling and Logging

"Error Handling and Logging" is essential for maintaining the security and integrity of
your application. This section includes practices like not revealing sensitive information
in error responses, implementing custom error pages, and securely handling errors, as
well as logging important security events and failures. The primary goal is to enhance
application security by carefully managing how errors are handled and logged. Proper
error handling helps prevent attackers from exploiting vulnerabilities and allows you to
monitor and analyze security events effectively to detect and respond to potential
threats.

No Test Case Scenario Example

7.1 Do not disclose Error responses Instead of displaying

sensitive should not reveal detailed error messages that
information in sensitive could expose sensitive
error responses information like information, provide a
system details, generic error message like
session identifiers, or "An error occurred, please try
account information. again later."

7.2 Use error handlers Error handlers Avoid showing stack trace
that do not display should be information in error
debugging or configured not to messages, as it can provide
stack trace reveal debugging or insights into the
information stack trace application's internal
information to workings.
potential attackers.

7.3 Implement Use custom error Instead of displaying specific

generic error pages with generic error messages, show
messages and use error messages to custom error pages with
custom error prevent leaking general messages like "Page
pages sensitive not found" or "Server error."
information to users
or attackers.

28
https://www.linkedin.com/in/hariprasaanth/
7.4 Handle application The application Implement custom error
errors without should handle its handling logic within the
relying on server errors application to manage and
configuration independently respond to errors effectively.
without relying
solely on server
configuration.

7.5 Free allocated Ensure that When an error is detected,

memory properly allocated memory is release memory resources
when error correctly freed when that were allocated to avoid
conditions occur error conditions memory leaks.
occur to prevent
memory leaks.

7.6 Security controls in Error handling logic Configure security controls

error handling associated with to deny access by default
logic should deny security controls when encountering errors or
access by default should deny access unexpected conditions.
by default to avoid
potential security
vulnerabilities.

7.7 Implement All logging controls Ensure that log entries are
logging controls should be generated and stored on a
on a trusted implemented on a secure and trusted system to
system trusted system, such prevent tampering or
as the server. unauthorized access.

7.8 Support logging Logging controls Log successful security

for both success should record both events, like user
and failure of successful and failed authentication, along with
specified security security events for failed events for a complete
events comprehensive audit trail.
security monitoring.

29
https://www.linkedin.com/in/hariprasaanth/
7.9 Ensure logs Log entries should Include relevant information
contain important contain essential such as timestamps, user
log event data event data to help in identities, and event
diagnosing and descriptions in log entries.
understanding
security incidents.

7.10 Prevent log entries Ensure that log Implement proper encoding
with un-trusted entries containing or escaping to prevent log
data from untrusted data entries with user input from
executing as code cannot execute as being interpreted as
code in log viewing executable code.
interfaces or
software.

7.11 Restrict access to Only authorized Control access to log files

logs to authorized personnel should and systems containing logs
individuals have access to logs, to limit viewing privileges to
ensuring the authorized users.
confidentiality and
integrity of log data.

7.12 Utilize a master Implement a Use a common function or

routine for all centralized routine routine for logging across
logging operations for all logging the application to ensure
operations to uniformity and simplify
maintain maintenance.
consistency and
reliability.

7.13 Do not store Avoid storing Ensure that logs do not

sensitive sensitive contain sensitive data that
information in logs information like could be exploited if the logs
system details, were accessed by
session identifiers, or unauthorized parties.
passwords in log
entries.

30
https://www.linkedin.com/in/hariprasaanth/
7.14 Ensure Implement Use log analysis tools and
mechanisms exist mechanisms to processes to regularly review
for log analysis conduct log analysis and monitor log entries for
and monitoring of security events.
security events to
detect anomalies or
potential threats.

7.15 Log all input Record log entries Capture instances where
validation failures for input validation input data fails validation
failures to track and checks, which may indicate
investigate potential security vulnerabilities.
security issues.

7.16 Log all Record log entries Keep a record of all

authentication for authentication authentication attempts,
attempts, attempts, with a focus on failed
especially failures particularly failures, attempts, to detect and
to monitor potential respond to potential security
unauthorized access threats.
attempts.

7.17 Log all access Record log entries Document cases where
control failures for access control access control mechanisms
failures to monitor fail to prevent unauthorized
and address access or actions.
unauthorized access
incidents.

7.18 Log all apparent Log events that Monitor and log suspicious
tampering events, indicate potential events, like unauthorized
including tampering or changes to data or
unexpected unexpected configuration settings.
changes to state changes to the
data application's state
data.

31
https://www.linkedin.com/in/hariprasaanth/
7.19 Log attempts to Record log entries Capture and investigate any
connect with for attempts to attempts to use session
invalid or expired connect with invalid tokens that are no longer
session tokens or expired session valid or have been tampered
tokens to detect with.
potential
session-related
security threats.

7.20 Log all system Record log entries Capture and investigate
exceptions for system system exceptions that may
exceptions to indicate problems within the
identify and application.
troubleshoot
potential issues.

7.21 Log all Document log Maintain an audit trail of

administrative entries for administrative actions,
functions, administrative especially those related to
including changes functions, especially security settings, for
to security changes to security accountability and
configuration configuration monitoring purposes.
settings settings.

7.22 Log backend TLS Record log entries Monitor and log any failures
connection failures for backend TLS in secure connections
(Transport Layer between components of the
Security) connection application.
failures to detect
potential security
issues with secure
communication.

7.23 Log cryptographic Document log Capture events indicating

module failures entries for failures or issues related to
cryptographic cryptographic modules used
module failures to by the application.
identify and respond
to potential
cryptographic
issues.

32
https://www.linkedin.com/in/hariprasaanth/
7.24 Use cryptographic Employ Use hash functions to create
hash functions to cryptographic hash checksums of log entries
validate log entry functions to verify and validate their integrity
integrity the integrity of log during log analysis.
entries and detect
tampering.

33
https://www.linkedin.com/in/hariprasaanth/
8. Data Protection

"Data Protection" is crucial for securing sensitive information within your application.
This section involves practices like implementing the principle of least privilege,
encrypting sensitive data, protecting cached or temporary files, and safeguarding
server-side source code. The primary goal is to ensure the confidentiality and integrity
of data, preventing unauthorized access or data leaks. Effective data protection
practices, like encryption and access controls, help keep sensitive information safe
from threats and unauthorized disclosure, ultimately enhancing the security of your
application.

No Test Case Scenario Example

8.1 Implement least Restrict users to Users in a healthcare

privilege, restrict only the application should only have
users to only the functionality, data, access to patient records
required and system they are authorized to view
functionality, data, information and not the entire database.
and system necessary for them
information to perform their
tasks.

8.2 Protect cached or Ensure that cached Delete cached copies of

temporary copies or temporary copies sensitive user data after the
of sensitive data of sensitive data are user logs out or when the
on the server from protected from data is no longer needed for
unauthorized unauthorized processing.
access and purge access, and delete
them when no them as soon as
longer needed they are no longer
required.

8.3 Encrypt highly Use strong Store user passwords using a

sensitive stored encryption for secure hashing algorithm
information, like highly sensitive like bcrypt to protect them
authentication stored information, from unauthorized access.
verification data, such as
even on the server authentication
side verification data,
even on the server.

34
https://www.linkedin.com/in/hariprasaanth/
8.4 Protect server-side Ensure that Use appropriate access
source code from server-side source controls and server
being downloaded code is protected configurations to prevent
by a user from being users from accessing
downloaded by server-side source code.
users.

8.5 Do not store Avoid storing Store sensitive information in

passwords, sensitive a secure manner using
connection information like encryption and secure
strings, or other passwords or storage practices.
sensitive connection strings
information in in clear text or
clear text or insecure formats on
insecure formats the client side, such
on the client side as MS ViewState,
Adobe Flash, or
compiled code.

8.6 Remove Remove comments Delete comments in the

comments in in user-accessible code that contain details
user-accessible production code about the application's
production code that could reveal architecture or system
that may reveal backend systems or configurations.
sensitive sensitive
information information.

8.7 Remove Remove any Avoid publishing

unnecessary unnecessary documentation that
application and documentation provides insights into the
system from the application application's internal
documentation and system that workings or configurations.
that could reveal may reveal useful
information to information to
attackers potential attackers.

35
https://www.linkedin.com/in/hariprasaanth/
8.8 Do not include Avoid sending Instead of sending sensitive
sensitive sensitive data as parameters in a URL,
information in information in HTTP use HTTP POST requests or
HTTP GET request GET request other secure methods.
parameters parameters as it
may be exposed in
URLs or logs.

8.9 Disable Disable Prevent browsers from

auto-complete auto-complete automatically filling in
features on forms features on forms sensitive data, such as
with sensitive that may contain usernames and passwords,
information, sensitive to enhance security.
including information,
authentication including login and
authentication
forms.

8.10 Disable client-side Disable client-side Set appropriate HTTP

caching on pages caching on pages headers like "Cache-Control:
with sensitive containing sensitive no-store" to instruct
information information to browsers not to cache
prevent data from sensitive pages.
being stored locally.

8.11 Support the Implement Allow users to request the

removal of functionality to removal of their personal
sensitive data delete sensitive data data from the application
when no longer when it is no longer when it's no longer
required needed, such as necessary.
personal
information or
certain financial
data.

36
https://www.linkedin.com/in/hariprasaanth/
8.12 Implement access Ensure that Implement access controls
controls for sensitive data stored to restrict access to cached
sensitive data on the server, data and temporary files to
stored on the including cached only specific system users or
server, including data and temporary roles.
cached data, files, is protected by
temporary files, appropriate access
and data controls.
accessible only by
specific users

37
https://www.linkedin.com/in/hariprasaanth/
9. Communication Security

"Communication Security" is all about safeguarding data as it travels between different

components of your application and external systems. This section includes practices
like implementing encryption for sensitive information transmission, ensuring valid
and up-to-date TLS certificates, and preventing insecure fallback from failed TLS
connections. The main goal is to protect data while it's in transit, ensuring that it
remains confidential and integral during communication. Strong communication
security practices, like TLS encryption and correct certificate management, help
prevent eavesdropping and tampering with sensitive information, ultimately
enhancing your application's overall security.

No Test Case Scenario Example

9.1 Implement Ensure that all When a user logs into an

encryption for the sensitive online banking application,
transmission of all information is their username and
sensitive transmitted using password are transmitted
information, encryption, such as securely using TLS to prevent
including TLS for TLS (Transport Layer eavesdropping.
protecting the Security), to protect
connection the data during
transmission.

9.2 Ensure TLS Validate that TLS An e-commerce website's

certificates are certificates used for TLS certificate should have
valid, have the securing the correct domain name,
correct domain connections are should not be expired, and
name, not expired, valid, have the should include all required
and installed with correct domain intermediate certificates to
intermediate name, are not establish a secure
certificates when expired, and include connection.
required intermediate
certificates when
necessary.

38
https://www.linkedin.com/in/hariprasaanth/
9.3 Prevent failed TLS Ensure that when a If a client fails to establish a
connections from TLS connection fails, TLS connection, it should not
falling back to an it does not fall back proceed with an
insecure to an insecure or unencrypted connection but
connection unencrypted should display an error
connection, which message instead.
could expose
sensitive data.

9.4 Use TLS Utilize TLS (or its When users access their
connections for all equivalent) for email accounts, the
content requiring securing connection should use TLS to
authenticated connections to any protect the login credentials
access and other content that and email contents from
sensitive requires interception.
information authenticated
access or any other
sensitive
information.

9.5 Use TLS for Employ TLS for When an application

connections to securing communicates with a
external systems connections to third-party payment gateway
involving sensitive external systems to process financial
information or that deal with transactions, it should use
functions sensitive TLS to protect the data in
information or transit.
critical functions.

9.6 Use a single Implement a Ensure that the application

standard TLS consistent and uses a well-established TLS
implementation standard TLS implementation with the
that is configured configuration appropriate configuration
appropriately throughout the settings to guarantee
application to security.
ensure proper and
secure encryption.

39
https://www.linkedin.com/in/hariprasaanth/
9.7 Specify character Specify character When transmitting data
encodings for all encodings for all between a web server and a
connections data transmitted database, specify UTF-8
over connections to character encoding to ensure
avoid character compatibility and prevent
encoding issues encoding-related
that can lead to vulnerabilities.
security
vulnerabilities.

9.8 Filter parameters Exclude parameters When a user clicks on an

containing containing sensitive external link from an
sensitive information from e-commerce website, the
information from the HTTP referer referer header should not
the HTTP referer header when include sensitive parameters
when linking to linking to external like session tokens or
external sites websites to prevent personal data.
data leakage.

40
https://www.linkedin.com/in/hariprasaanth/
10. System Configuration

"System Configuration" is crucial for maintaining a secure environment for your

application. This section includes practices like keeping servers and components
up-to-date, minimizing privileges, removing unnecessary functionality, and securing
HTTP methods. The main goal is to configure your systems in a way that minimizes
vulnerabilities and protects against common attack vectors. Effective system
configuration practices ensure that your application operates in a secure and robust
environment, reducing the risk of security incidents and unauthorized access.

No Test Case Scenario Example

10.1 Ensure servers, Regularly check and An organization should

frameworks, and update servers, regularly update its web
system frameworks, and server software to the latest
components are system components approved version to patch
running the latest to the latest known security
approved version approved versions vulnerabilities.
to mitigate
vulnerabilities.

10.2 Ensure servers, Apply all security After deploying a web

frameworks, and patches and application using a specific
system updates issued for framework version, apply all
components have the specific version available patches and
all patches issued of servers, updates released for that
for the version in frameworks, and version to keep it secure.
use system components
in use to address
known
vulnerabilities.

10.3 Turn off directory Disable directory When a web server receives a
listings listings to prevent request for a directory that
exposing sensitive doesn't contain a default
information about document (e.g., index.html),
the web server's it should return a "403
directory structure Forbidden" error instead of
to potential listing the directory's
attackers. contents.

41
https://www.linkedin.com/in/hariprasaanth/
10.4 Restrict the web Limit the A web server process should
server, process, permissions and run with minimal privileges,
and service access rights of web granting access only to the
accounts to the server, process, and directories and resources
least privileges service accounts to required for serving web
possible only what is pages, and should not have
necessary to write access to sensitive files.
perform their
functions, reducing
the risk of
unauthorized
access.

10.5 When exceptions Implement error If a web application

occur, fail securely handling routines encounters an unexpected
that ensure the exception, it should handle it
application fails gracefully by displaying a
securely when user-friendly error message
exceptions or errors instead of revealing technical
occur, preventing details or sensitive data.
the exposure of
sensitive
information.

10.6 Remove all Eliminate any An e-commerce website

unnecessary features, functions, should remove any unused
functionality and or files that are not or unnecessary features, such
files essential for the as old product listings or
application's deprecated functions, before
operation, reducing deployment.
the attack surface.

10.7 Remove test code Ensure that test Any test-related functionality
or any code or features not in the application's codebase
functionality not intended for should be excluded from the
intended for production use are production release,
production, prior removed from the preventing unintended
to deployment application before it exposure or vulnerabilities.
is deployed.

42
https://www.linkedin.com/in/hariprasaanth/
10.8 Prevent disclosure Avoid exposing If a website has directories
of your directory directory structures containing configuration files
structure in the by isolating or other sensitive data, these
robots.txt file directories not directories should be placed
intended for public within a parent directory that
indexing in an is disallowed in the robots.txt
isolated parent file to prevent search engine
directory and indexing.
disallowing the
entire parent
directory in the
robots.txt file.

10.9 Define which Clearly specify In a RESTful web service,

HTTP methods which HTTP define which HTTP methods
(GET or POST) the methods (e.g., GET are allowed for various
application will or POST) the endpoints, indicating
support and application whether a particular
whether they will supports and endpoint supports only GET
be handled whether they are requests or both GET and
differently handled differently POST requests.
on different pages.

10.10 Disable Deactivate any If a web application doesn't

unnecessary HTTP unnecessary HTTP require the WebDAV HTTP
methods, such as methods, especially extension for file
WebDAV extensions like management, it should
extensions WebDAV, and only disable this method to
use well-vetted reduce potential security
authentication risks.
mechanisms if
required.

43
https://www.linkedin.com/in/hariprasaanth/
10.11 Ensure the web Ensure that the web If a web server accepts both
server handles server is configured HTTP 1.0 and HTTP 1.1
HTTP 1.0 and 1.1 in to handle both requests, it should process
a similar manner HTTP 1.0 and 1.1 them in a consistent manner
or understands consistently or to prevent potential
any differences understands any vulnerabilities related to
distinctions version handling.
between the two
versions.

10.12 Remove Minimize the HTTP response headers

unnecessary information should not expose server
information from revealed in HTTP details, such as "Server:
HTTP response response headers to Apache/2.4.29 (Unix)
headers related to avoid disclosing PHP/7.2.15" or "X-Powered-By:
the OS, web server details about the Express."
version, and server's operating
application system, web server
frameworks version, or
application
frameworks.

10.13 The security Ensure that the A web application's security

configuration security settings should be
store for the configuration documented in a way that
application should settings of the allows auditors to easily
be output in application can be understand the
human-readable displayed in a configurations for
form to support human-readable verification.
auditing format to facilitate
auditing and review.

44
https://www.linkedin.com/in/hariprasaanth/
10.14 Implement an Establish an asset An organization should use
asset management an asset management
management system to catalog system to keep an inventory
system and and register all of all servers, network
register system system components devices, software, and
components and and software to hardware components used
software monitor and in the infrastructure.
maintain them
efficiently.

10.15 Isolate Segregate Development and testing

development development environments should be
environments environments from isolated from the live
from the the production production network to
production network, restricting minimize potential security
network and access to authorized risks and unauthorized
provide access development and access.
only to authorized test groups.
development and
test groups

10.16 Implement a Employ a software Any modifications or updates

software change change control to the application's source
control system to system to oversee code should be documented
manage and and document in a change control system,
record changes to changes made to including details like who
the code the code, both in made the change, when it
development and was made, and why.
production.

45
https://www.linkedin.com/in/hariprasaanth/
11. Database Security

"Database Security" is essential for ensuring the confidentiality and integrity of your
application's data. This section includes practices like using strongly typed
parameterized queries, input validation, and output encoding to prevent SQL injection
attacks. It also emphasizes the importance of utilizing secure credentials for database
access, storing connection strings securely, and minimizing privileges when interacting
with the database. The primary goal is to protect your database from unauthorized
access and data breaches, ensuring that sensitive information remains secure and
confidential. Effective database security practices help safeguard your application's
most critical asset – its data.

No Test Case Scenario Example

11.1 Use strongly typed Employ When querying a database

parameterized parameterized for user authentication, use
queries queries with parameterized queries with
strongly typed strongly typed parameters
parameters to like integers or strings to
interact with the avoid SQL injection.
database,
preventing SQL
injection attacks.

11.2 Utilize input Apply input When processing

validation and validation and user-generated input for a
output encoding output encoding to search query, validate the
and be sure to sanitize data, input and ensure that it
address meta ensuring that meta doesn't contain any
characters. If these characters are unescaped meta characters
fail, do not run the addressed to such as single quotes. If
database protect against validation fails, reject the
command security query.
vulnerabilities. If
validation fails,
reject the database
command.

46
https://www.linkedin.com/in/hariprasaanth/
11.3 Ensure that Ensure that When passing variables to a
variables are variables used in database query, ensure that
strongly typed database operations their data types match the
are strongly typed expected data types in the
to prevent database schema to avoid
type-related type conversion issues or
vulnerabilities. unexpected behavior.

11.4 The application Limit the privileges When connecting to the

should use the granted to the database, use a database
lowest possible application when user account with the
level of privilege interacting with the minimum necessary
when accessing database to privileges to perform the
the database minimize the required operations, rather
potential impact of than a superuser account.
security breaches.

11.5 Use secure Implement strong Use complex and unique

credentials for and secure passwords for database user
database access credentials when accounts, and consider
connecting to the implementing multi-factor
database to protect authentication for added
against security.
unauthorized
access.

47
https://www.linkedin.com/in/hariprasaanth/
11.6 Connection strings Avoid hardcoding Instead of directly
should not be hard database embedding database
coded within the connection strings connection strings in the
application. in the application code, store them in an
Connection strings code. Store encrypted configuration file
should be stored in connection strings external to the application
a separate in a separate, for better security.
configuration file encrypted
on a trusted configuration file on
system and they a trusted system.
should be
encrypted.

11.7 Use stored Utilize stored Implement stored

procedures to procedures to procedures in the database
abstract data access data, to abstract data access,
access and allow providing an ensuring that applications
for the removal of abstraction layer interact with the data
permissions to the and enabling the through these procedures.
base tables in the removal of
database permissions to base
tables.

11.8 Close the Close the database After executing a database

connection as soon connection as soon query, promptly close the
as possible as it is no longer database connection to
needed to reduce minimize the window of
the risk of opportunity for potential
unauthorized access attackers.
or data exposure.

48
https://www.linkedin.com/in/hariprasaanth/
11.9 Remove or change Eliminate or update When deploying a new
all default default database, change the default
database administrative administrative passwords to
administrative passwords for the strong, unique passwords, or
passwords. Utilize database, replacing implement multi-factor
strong them with strong authentication to enhance
passwords/phrases passwords or access security.
or implement implementing
multi-factor multi-factor
authentication authentication for
added security.

11.10 Turn off all Disable unnecessary When configuring a

unnecessary database database server, only enable
database functionality and the features and options
functionality (e.g., features, such as required for the application's
unnecessary stored stored procedures functionality, turning off or
procedures or or services, to uninstalling unnecessary
services, utility reduce the attack components.
packages, install surface.
only the minimum
set of features and
options required)

11.11 Remove Eliminate After installing a database

unnecessary unnecessary default system, remove sample
default vendor content provided by schemas, tables, or data
content (e.g., the database provided by the vendor, as
sample schemas) vendor, such as they might contain security
sample schemas or vulnerabilities or
data, which can unnecessary data.
pose security risks.

49
https://www.linkedin.com/in/hariprasaanth/
11.12 Disable any default Deactivate or If the database system
accounts that are disable any default includes default user
not required to user accounts that accounts that are not
support business are not needed to essential for the application's
requirements fulfill business functionality, disable or
requirements. remove them to reduce
potential security risks.

11.13 The application Use distinct Implement role-based

should connect to credentials for database access, providing
the database with database different user roles with
different connections based unique credentials and
credentials for on trust levels, such access rights to match their
every trust as separate trust levels, ensuring that
distinction (e.g., credentials for administrators have more
user, read-only regular users, privileges than regular users.
user, guest, read-only access,
administrators) guests, and
administrators, to
limit privileges as
necessary.

50
https://www.linkedin.com/in/hariprasaanth/
12. File Management

"File Management" is all about handling files securely within your application. This
section includes practices like not passing user-supplied data directly to dynamic
include functions, authenticating file uploads, validating file types, and avoiding saving
files in the same web context as the application. The primary goal is to prevent
malicious file uploads, limit access to files, and ensure that files are handled safely to
avoid security vulnerabilities. Effective file management practices help maintain the
integrity and security of your application's file system and protect it from potential
threats.

No Test Case Scenario Example

12.1 Do not pass user Avoid directly Instead of using user input
supplied data passing to dynamically include a file,
directly to any user-supplied data use a predefined and
dynamic include to dynamic include validated list of files to
function functions to prevent include.
code execution
vulnerabilities.

12.2 Require Ensure that users Only authenticated users

authentication are authenticated should have the privilege to
before allowing a before they are upload files.
file to be uploaded allowed to upload
files to the
application to
prevent
unauthorized file
uploads.

12.3 Limit the type of Allow only specific If your application only
files that can be types of files to be requires image uploads,
uploaded to only uploaded that are restrict file uploads to image
those types that relevant to the file types (e.g., JPEG, PNG)
are needed for application's and reject other file types.
business purposes business
requirements.

51
https://www.linkedin.com/in/hariprasaanth/
12.4 Validate uploaded Verify the file type of When processing an
files are the uploaded files by uploaded file, check its
expected type by examining their header information to
checking file headers to ensure confirm its actual format
headers. Checking they match the rather than solely relying on
for file type by expected format, as the file extension provided
extension alone is relying solely on file by the user.
not sufficient extensions is
insufficient.

12.5 Do not save files in Store uploaded files Store uploaded files in a
the same web in a location directory outside the web
context as the separate from the server's root directory to
application. Files web application's prevent direct access from
should either go to context to avoid the web.
the content server security risks.
or in the database. Uploaded files
should be placed in
a content server or
database.

12.6 Prevent or restrict Avoid uploading Do not allow users to upload

the uploading of files that can be files like PHP, HTML, or
any file that may interpreted as code JavaScript files that could be
be interpreted by by the web server, executed by the server.
the web server. as this may
introduce security
vulnerabilities.

12.7 Turn off execution Disable execution Modify directory permissions

privileges on file privileges on to prevent any uploaded files
upload directories directories where from being executed by the
files are uploaded to web server.
prevent the
execution of
uploaded files.

52
https://www.linkedin.com/in/hariprasaanth/
12.8 Implement safe Secure file When dealing with file
uploading in UNIX uploading in UNIX uploads on UNIX systems,
by mounting the environments by ensure that the uploaded
targeted file mounting the files are placed in an isolated
directory as a target directory as a directory or chroot
logical drive using logical drive or environment to enhance
the associated using the chrooted security.
path or the environment to
chrooted isolate the uploaded
environment files.

12.9 When referencing Employ a white list When referencing files

existing files, use a of permitted file provided by users or external
white list of names and types sources, validate the file
allowed file names when referencing names and types against a
and types. Validate existing files, predefined white list, and
the value of the validating the only allow those that match
parameter being parameters being the expected values.
passed and if it passed. If an
does not match unexpected value is
one of the encountered, reject
expected values, it or use a
either reject it or predefined default
use a hard coded value.
default file value
for the content
instead

12.10 Do not pass user Avoid passing If your application allows

supplied data into user-supplied data dynamic redirects, ensure
a dynamic into dynamic that the redirect URLs are
redirect. If this redirects. If either predefined and
must be allowed, necessary, ensure validated or accept only
then the redirect that the redirect relative path URLs, reducing
should accept only accepts only the risk of open redirect
validated, relative validated, relative attacks.
path URLs path URLs to
prevent open
redirect
vulnerabilities.

53
https://www.linkedin.com/in/hariprasaanth/
12.11 Do not pass Avoid passing When handling user input
directory or file directory or file for file or directory paths, use
paths, use index paths as user input, predefined index values to
values mapped to and instead, use reference specific paths
pre-defined list of index values rather than directly
paths associated with a accepting arbitrary paths
predefined list of provided by users.
paths to enhance
security.

12.12 Never send the Avoid disclosing When returning file paths or
absolute file path absolute file paths URLs to the client, ensure
to the client to clients, as this that they are relative paths
information can and do not reveal the
potentially be absolute file system
exploited by structure of the server.
attackers.

12.13 Ensure application Set appropriate file Configure file permissions on

files and resources permissions to application files and
are read-only make application resources to disallow write
files and resources access, ensuring their
read-only, integrity and preventing
preventing tampering.
unauthorized
modification.

12.14 Scan user Implement virus When users upload files,

uploaded files for and malware automatically scan the files
viruses and scanning for files for viruses and malware to
malware uploaded by users safeguard the application
to prevent malicious and its users from potential
content from threats.
entering the
application.

54
https://www.linkedin.com/in/hariprasaanth/
13. Memory Management

"Memory Management" involves handling memory securely in your application. This

section emphasizes practices like input and output control for untrusted data,
checking buffer sizes to prevent buffer overflows, and avoiding known vulnerable
functions. The goal is to ensure that your application efficiently manages memory,
mitigates memory-related vulnerabilities, and avoids potential security risks associated
with memory handling. Proper memory management contributes to the overall
security and reliability of your software.

No Test Case Scenario Example

13.1 Utilize input and Employ input and When accepting user input,
output control for output controls to apply input controls such as
un-trusted data manage data from input validation to validate
untrusted sources, and sanitize the data before
ensuring that the using it in the application.
data is processed Similarly, use output controls
safely and securely. like output encoding to
prevent data from being
executed as code when
displayed to users.

13.2 Double check that Verify that buffer When using functions that
the buffer is as sizes match the copy data into a buffer,
large as specified expected size to double-check that the
prevent buffer destination buffer is of the
overflows and specified size and that it can
memory corruption accommodate the data to
vulnerabilities. be copied.

55
https://www.linkedin.com/in/hariprasaanth/
13.3 When using Exercise caution When using strncpy(), be
functions that when using aware of its behavior and
accept a number functions like make sure to manually
of bytes to copy, strncpy() and NULL-terminate the string if
such as strncpy(), understand that if necessary to avoid issues
be aware that if the destination with string manipulation.
the destination buffer size is the
buffer size is equal same as the source
to the source buffer size, the string
buffer size, it may may not be
not NULL-terminated,
NULL-terminate which can lead to
the string unexpected
behavior.

13.4 Check buffer Ensure that buffer When using functions in

boundaries if boundaries are loops that copy data into
calling the validated when buffers, always check and
function in a loop calling functions in control the loop's iteration to
and make sure loops, preventing avoid writing data past the
there is no danger potential buffer allocated buffer space.
of writing past the overflows and data
allocated space corruption.

13.5 Truncate all input Limit the length of Before using copy or
strings to a input strings to a concatenation functions,
reasonable length reasonable size truncate input strings to a
before passing before using copy predefined reasonable
them to the copy and concatenation length to ensure they fit
and concatenation functions to prevent within the buffer's allocated
functions buffer overflows. space.

13.6 Specifically close Explicitly close When managing resources

resources, don’t resources such as like database connections or
rely on garbage connection objects file handles, always use
collection. (e.g., and file handles explicit methods to close
connection instead of relying on these resources once they
objects, file garbage collection are no longer needed to
handles, etc.) to ensure timely avoid resource leaks.
resource
deallocation.

56
https://www.linkedin.com/in/hariprasaanth/
13.7 Use Employ If your operating system or
non-executable non-executable platform supports
stacks when stacks when non-executable stacks,
available possible to enhance enable this feature to reduce
security and prevent the risk of stack-based buffer
stack-based overflow attacks.
vulnerabilities.

13.8 Avoid the use of Steer clear of using Instead of using functions
known vulnerable functions that are like printf, strcat, or strcpy,
functions (e.g., known to be opt for safer alternatives that
printf, strcat, strcpy vulnerable to do not exhibit known
etc.) security issues, such vulnerabilities, such as
as printf, strcat, and printf-safe functions or string
strcpy. manipulation functions with
boundary checks.

13.9 Properly free Ensure that When allocating memory

allocated memory dynamically dynamically (e.g., with
upon the allocated memory is malloc), always include code
completion of correctly deallocated to release (free) the allocated
functions and at all at the end of memory in the function's
exit points functions and at all exit paths to avoid memory
exit points to leaks.
prevent memory
leaks.

57
https://www.linkedin.com/in/hariprasaanth/
14. General Coding Practices

"General Coding Practices" encompass a set of guidelines for writing secure and
reliable code. These practices encourage the use of approved managed code,
task-specific APIs, and explicit variable initialization. They also emphasize avoiding
direct interaction with the operating system and preventing concurrent access issues
in multi-threaded applications. Additionally, the checklist promotes safe calculation
handling, secure privilege management, and safeguarding against code injection and
unsafe code alterations. Following these practices helps ensure that your code is
robust, secure, and free from common vulnerabilities.

No Test Case Scenario Example

14.1 Use tested and Prefer using Instead of implementing

approved well-tested custom unmanaged code for
managed code managed code file I/O operations, use a
rather than libraries and APIs for widely accepted managed
creating new common tasks over code library or API like .NET's
unmanaged code developing custom File class for safe and
for common tasks unmanaged code. efficient file operations.

14.2 Utilize Employ built-in APIs When interacting with the

task-specific specific to the task operating system, use APIs
built-in APIs to at hand to perform like
conduct operating System.Diagnostics.Process
operating system system-related in C# to manage and execute
tasks. Do not actions. Avoid external processes instead of
allow the allowing the invoking shell commands
application to application to through the application.
issue commands execute commands
directly to the directly on the OS,
Operating especially through
System, especially command shells
through the use initiated by the
of application.
application-initiat
ed command
shells

58
https://www.linkedin.com/in/hariprasaanth/
14.3 Use checksums or Verify the integrity Before loading a dynamically
hashes to verify of interpreted code, linked library, verify its
the integrity of libraries, integrity by comparing its
interpreted code, executables, and hash value with a
libraries, configuration files precomputed hash to ensure
executables, and using checksums or it has not been tampered
configuration files cryptographic with.
hashes to detect
unauthorized
modifications.

14.4 Utilize locking to Employ locking When managing shared

prevent multiple mechanisms to resources, use locks or
simultaneous prevent multiple synchronization primitives
requests or use a simultaneous such as mutexes to ensure
synchronization requests or utilize that only one thread can
mechanism to synchronization to access the shared resource at
prevent race avoid race a time, preventing
conditions conditions in concurrent access issues.
multi-threaded
applications.

14.5 Protect shared Safeguard shared Protect shared data

variables and variables and structures in a
resources from resources to prevent multi-threaded application
inappropriate inappropriate by using proper locking
concurrent access concurrent access mechanisms to ensure that
that could lead to multiple threads do not
data corruption or access or modify the data
inconsistency. simultaneously.

59
https://www.linkedin.com/in/hariprasaanth/
14.6 Explicitly initialize Ensure that all Initialize variables with
all your variables variables and data appropriate default values
and other data stores are explicitly during declaration or
stores, either initialized either initialize them just before
during during declaration their first use. For instance,
declaration or just or right before their initialize an integer variable
before the first first usage to with zero (0) to avoid using
usage prevent the use of uninitialized data.
uninitialized or
unpredictable
values.

14.7 In cases where If the application If your application requires

the application needs to run with elevated privileges to
must run with elevated privileges, perform a specific task, raise
elevated elevate those those privileges only when
privileges, raise privileges only when executing that task, and
privileges as late necessary and promptly lower the privileges
as possible, and reduce them to the once the task is completed.
drop them as least privilege level
soon as possible as soon as they are
no longer needed.

60
https://www.linkedin.com/in/hariprasaanth/
14.8 Avoid calculation Prevent calculation When performing
errors by errors by having a mathematical calculations in
understanding deep a programming language, be
your understanding of aware of issues like integer
programming your programming overflow, floating-point
language's language's numeric precision, and type
underlying representation and conversion. Always ensure
representation how it handles that numeric operations are
and how it various numeric consistent with your
interacts with operations and data expectations and the
numeric types. Pay attention language's behavior.
calculation. Pay to issues like
close attention to precision,
byte size signed/unsigned
discrepancies, distinctions, byte
precision, size limitations, type
signed/unsigned conversion, and
distinctions, handling extreme
truncation, values.
conversion and
casting between
types,
"not-a-number"
calculations, and
how your
language handles
numbers that are
too large or too
small for its
underlying
representation

14.9 Do not pass Avoid passing data Do not allow users to provide
user-supplied provided by users to input that is directly passed
data to any functions that to functions capable of
dynamic dynamically execute executing code dynamically,
execution code, as this can such as eval() or dynamic
function lead to code SQL execution. This can
injection prevent code injection
vulnerabilities. attacks.

61
https://www.linkedin.com/in/hariprasaanth/
14.10 Restrict users Prevent users from Avoid providing users with
from generating generating or the capability to write or
new code or modifying code to execute arbitrary code within
altering existing maintain control the application, as this can
code over the lead to security risks.
application's
behavior and
security.

14.11 Review all Conduct a thorough Before integrating

secondary review of secondary third-party code or libraries
applications, applications, into your application,
third-party code, third-party code, carefully review and validate
and libraries to and libraries to the code to confirm that it is
determine assess their both necessary for your
business necessity and business requirements and
necessity and ensure that their free from security
validate safe functionality does vulnerabilities.
functionality, as not introduce
these can security
introduce new vulnerabilities.
vulnerabilities

62
https://www.linkedin.com/in/hariprasaanth/
14.12 Implement safe Implement secure When delivering automatic
updating. If the update updates for your application,
application will mechanisms, ensure that the updates are
utilize automatic especially if your digitally signed with a
updates, then use application cryptographic signature to
cryptographic supports automatic guarantee their authenticity.
signatures for updates. Utilize The download client should
your code and cryptographic verify these signatures before
ensure your signatures to verify applying updates. Encrypt
download clients code authenticity, the communication channel
verify those and ensure between the host server and
signatures. Use download clients the client to protect the code
encrypted validate these updates from interception.
channels to signatures.
transfer the code Additionally, use
from the host encrypted channels
server to transfer code
updates from the
host server.

63
https://www.linkedin.com/in/hariprasaanth/
15. Glossary

★ Abuse Case: Describes the intentional and unintentional misuses of the

software. Abuse cases should challenge the assumptions of the system design.

★ Access Control: A set of controls that grant or deny a user, or other entity, access
to a system resource. This is usually based on hierarchical roles and individual
privileges within a role, but also includes system to system interactions.

★ Authentication: A set of controls that are used to verify the identity of a user, or
other entity, interacting with the software.

★ Availability: A measure of a system's accessibility and usability.

★ Canonicalize: To reduce various encodings and representations of data to a

single simple form.

★ Communication Security: A set of controls that help ensure the software

handles the sending and receiving of information in a secure manner.

★ Confidentiality: To ensure that information is disclosed only to authorized

parties.

★ Contextual Output Encoding: Encoding output data based on how it will be

utilized by the application. The specific methods vary depending on the way the
output data is used. If the data is to be included in the response to the client,
account for inclusion scenarios like: the body of an HTML document, an HTML
attribute, within JavaScript, within a CSS or in a URL. You must also account for
other use cases like SQL queries, XML and LDAP.

★ Cross Site Request Forgery: An external website or application forces a client to

make an unintended request to another application that the client has an active
session with. Applications are vulnerable when they use known, or predictable,
URLs and parameters; and when the browser automatically transmits all
required session information with each request to the vulnerable application.
(This is one of the only attacks specifically discussed in this document and is only
included because the associated vulnerability is very common and poorly
understood.)

★ Cryptographic Practices: A set of controls that ensure cryptographic operations

within the application are handled securely.

★ Data Protection: A set of controls that help ensure the software handles the
storing of information in a secure manner.

★ Database Security: A set of controls that ensure that software interacts with a
database in a secure manner and that the database is configured securely.

64
https://www.linkedin.com/in/hariprasaanth/
 ★ Error Handling and Logging: A set of practices that ensure the application
handles errors safely and conducts proper event logging.

★ Exploit: To take advantage of a vulnerability. Typically this is an intentional action

designed to compromise the software's security controls by leveraging a
vulnerability.

★ File Management: A set of controls that cover the interaction between the code
and other system files.

★ General Coding Practices: A set of controls that cover coding practices that do
not fit easily into other categories.

★ Hazardous Character: Any character or encoded representation of a character

that can affect the intended operation of the application or associated system by
being interpreted to have a special meaning, outside the intended use of the
character. These characters may be used to:

○ Alter the structure of existing code or statements

○ Insert new unintended code
○ Alter paths
○ Cause unexpected outcomes from program functions or routines
○ Cause error conditions
○ Have any of the above effects on downstream applications or systems

★ HTML Entity Encode: The process of replacing certain ASCII characters with their
HTML entity equivalents. For example, encoding would replace the less-than
character "<" with the HTML equivalent "&lt;". HTML entities are 'inert' in most
interpreters, especially browsers, which can mitigate certain client-side attacks.

★ Impact: A measure of the negative effect on the business that results from the
occurrence of an undesired event; what would be the result of a vulnerability
being exploited.

★ Input Validation: A set of controls that verify the properties of all input data
match what is expected by the application, including types, lengths, ranges,
acceptable character sets, and does not include known hazardous characters.

★ Integrity: The assurance that information is accurate, complete, and valid and
has not been altered by an unauthorized action.

65
https://www.linkedin.com/in/hariprasaanth/
 ★ Log Event Data: This should include the following:

○ Time stamp from a trusted system component

○ Severity rating for each event
○ Tagging of security-relevant events if they are mixed with other log entries
○ Identity of the account/user that caused the event
○ Source IP address associated with the request
○ Event outcome (success or failure)
○ Description of the event

★ Memory Management: A set of controls that address memory and buffer usage.

★ Mitigate: Steps taken to reduce the severity of a vulnerability. These can include
removing a vulnerability, making a vulnerability more difficult to exploit, or
reducing the negative impact of a successful exploitation.

★ Multi-Factor Authentication: An authentication process that requires the user

to produce multiple distinct types of credentials. Typically, this is based on
something they have (e.g., a smart card), something they know (e.g., a pin), or
something they are (e.g., data from a biometric reader).

★ Output Encoding: A set of controls addressing the use of encoding to ensure

data output by the application is safe.

★ Parameterized Queries (prepared statements): Keeps the query and data

separate through the use of placeholders. The query structure is defined with
placeholders, the SQL statement is sent to the database and prepared, and then
the prepared statement is combined with the parameter values. This prevents
the query from being altered because the parameter values are combined with
the compiled statement, not a SQL string.

★ Sanitize Data: The process of making potentially harmful data safe through the
use of data removal, replacement, encoding, or escaping of the characters.

★ Security Controls: An action that mitigates a potential vulnerability and helps

ensure that the software behaves only in the expected manner.

★ Security Requirements: A set of design and functional requirements that help

ensure the software is built and deployed in a secure manner.

★ Sequential Authentication: When authentication data is requested on

successive pages rather than being requested all at once on a single page.

★ Session Management: A set of controls that help ensure web applications

handle HTTP sessions in a secure manner.

★ State Data: When data or parameters are used by the application or server to
emulate a persistent connection or track a client's status across a multi-request
process or transaction.
66
https://www.linkedin.com/in/hariprasaanth/
 ★ System: A generic term covering the operating systems, web server, application
frameworks, and related infrastructure.

★ System Configuration: A set of controls that help ensure the infrastructure

components supporting the software are deployed securely.

★ Threat Agent: Any entity that may have a negative impact on the system. This
may be a malicious user who wants to compromise the system's security
controls; however, it could also be an accidental misuse of the system or a more
physical threat like fire or flood.

★ Trust Boundaries: Typically, a trust boundary constitutes the components of the

system under your direct control. All connections and data from systems outside
of your direct control, including all clients and systems managed by other parties,
should be considered untrusted and be validated at the boundary before
allowing further system interaction.

★ Vulnerability: A weakness that makes the system susceptible to attack or

damage.

67
https://www.linkedin.com/in/hariprasaanth/