What Every Programmer Should Know About Security

There’s an excellent thread going on over at stackoverflow.com about suggestions for what every programmer should know about security.

Some of the more interesting highlights:

  • Never trust user input!
  • Validate input from all untrusted sources - use whitelists not blacklists
  • Plan for security from the start - it's not something you can bolt on at the end
  • Keep it simple - complexity increases the likelihood of security holes
  • Keep your attack surface to a minimum
  • Make sure you fail securely
  • Use defence in depth
  • Adhere to the principle of least privilege
  • Use threat modelling
  • Compartmentalize - so your system is not all or nothing
  • Hiding secrets is hard - and secrets hidden in code won't stay secret for long
  • Don't write your own crypto
  • Using crypto doesn't mean you're secure (attackers will look for a weaker link)
  • Be aware of buffer overflows and how to protect against them
There are some excellent books and articles online about making your applications secure:


Check out the full discussion here: What should every programmer know about security? (via stackoverflow.com)

Written on May 7, 2012