Avoiding vulnerabilities in software development
Impose proper input validation:
1. Apply the zero trust principle and assume all input is unsafe until proven otherwise. Whitelist validated environmental variables, queries, files, databases and API calls.
2. Realize that attackers may be able to access hidden form fields.
3. Validate input for content, as well as length. Evaluate type, syntax, and conformance to logic (semantic sense).
4. Perform both client-side and server-side checks.
5. Validate inputs again after any data combination or conversion.
Beware of information exposure:
1. Frame your error messages so that they do not give away the full path of a file or program, or expose a user in the database.
2. Contain sensitive information to areas with explicit trust boundaries. Use access controls to secure and restrict connections between ‘safe’ areas and endpoints.
3. Restrict sensitive information from URLs or communication headers. Obscure path names and API keys.
Ensure proper authentication to assign privileges:
1. Make sure temporary privilege escalations are easily reversed, and soon.
2. Assign privileges through whitelisting, starting with a universal base of least privilege, rather than restricting them through blacklisting.
3. Never allow a lower privilege level to affect a higher privileged user.
4. Restrict log-in attempts and impose session limits.
5. Separate higher-level privileges into different roles to limit ‘power users’.
6. Apply multi-factor authentication.
Full post here, 6 mins read