There’s an excellent thread going on over at stackoverflow.com about suggestions for what every programmer should know about security.

Some of the more interesting highlights:

  • Never trust user input!
  • Validate input from all untrusted sources – use whitelists not blacklists
  • Plan for security from the start – it’s not something you can bolt on at the end
  • Keep it simple – complexity increases the likelihood of security holes
  • Keep your attack surface to a minimum
  • Make sure you fail securely
  • Use defence in depth
  • Adhere to the principle of least privilege
  • Use threat modelling
  • Compartmentalize – so your system is not all or nothing
  • Hiding secrets is hard – and secrets hidden in code won’t stay secret for long
  • Don’t write your own crypto
  • Using crypto doesn’t mean you’re secure (attackers will look for a weaker link)
  • Be aware of buffer overflows and how to protect against them

There are some excellent books and articles online about making your applications secure:

 

Check out the full discussion here: What should every programmer know about security? (via stackoverflow.com)

 

Share