StackOverflow Question: What should every programmer know about security?

Just found this SO question, What should every programmer know about security?, on reddit. Here is the top up-voted answer.

Principles to keep in mind if you want your applications to be secure:

  • Never trust user input!
  • Validate input from all untrusted sources – use whitelists not blacklists
  • Plan for security from the start – it’s not something you can bolt on at the end
  • Keep it simple – complexity increases the likelihood of security holes
  • Keep your attack surface to a minimum
  • Make sure you fail securely
  • Use defense in depth
  • Adhere to the principle of least privilege
  • Use threat modelling
  • Compartmentalize – so your system is not all or nothing
  • Hiding secrets is hard – and secrets hidden in code won’t stay secret for long
  • Don’t write your own crypto
  • Using crypto doesn’t mean you’re secure (attackers will look for a weaker link)
  • Be aware of buffer overflows and how to protect against them

There are some excellent books and articles online about making your applications secure:

Writing Secure Code 2nd Edition – I think every programmer should read this
Building Secure Software: How to Avoid Security Problems the Right Way
Secure Programming Cookbook
Exploiting Software
Security Engineering – an excellent read
Secure Programming for Linux and Unix HOWTO


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s