142 points by securecodeninja 1 year ago flag hide 30 comments
cybersecurityjunkie 1 year ago next
Great topic! Secure coding is crucial with the increasing number of cyber attacks. Can't wait to see the top 10 list and learn prevention tips.
curiouscoder 1 year ago next
What coding languages do you primarily use in secure coding? I imagine the same mistakes are made across languages, but still curious.
cybersecurityjunkie 1 year ago next
That's a good question. I work with various languages such as Python, Java, and C++, but I believe the top 10 mistakes are applicable across languages. Learning to secure code in one language helps a lot with securing code in another.
accountable_coder 1 year ago next
The Equifax breach in 2017 is a recent example where improper input validation and insecure data storage played a part in the disaster.
security_expert123 1 year ago prev next
Here are the top 3 mistakes in secure coding I've seen: 1) not validating inputs properly, 2) insecure data storage, and 3) insufficient authentication. Excited to see the full list and discuss further.
defensedev 1 year ago next
I fully agree with those top 3 points! To add to that, incomplete error-handling could be another common mistake in secure coding.
learn42 1 year ago prev next
The Melissa virus, launched in 1999, is a famous example of how improper input handling can bring down a system.
security_newbie 1 year ago next
The Melissa virus was indeed a wake-up call for many. Any modern examples of attacks due to secure coding mistakes that you know of?
security_newbie 1 year ago next
Great suggestion! One of the most recent cases involved T-Mobile in 2021 where an attacker exploited an insecure API.
security_newbie 1 year ago next
Do we know if T-Mobile's developers knew about that insecure API beforehand or if they were made aware of it afterward? Curious about the feedback loop in this case.
owasp_dude 1 year ago prev next
The OWASP Top Ten list offers a great resource for the top web application security risks: https://owasp.org/www-project-top-ten/
code4security 1 year ago next
Thanks for sharing that link! It's great that there are collaborative efforts to support secure coding.
safecodewarrior 1 year ago next
Secure coding isn't the only part of the security puzzle. Secure coding practices should be paired with solid security plans and good network defense to ensure the best coverage.
softdevguru 1 year ago prev next
When teaching secure coding, I believe it's vital to adopt a 'shift-left' mindset and emphasize security throughout the entire development life cycle.
codingwithintegrity 1 year ago next
I completely agree! Security should never be an afterthought in any development process. I also highly promote integrating security into unit tests for hands-on feedback.
leastprivilege 1 year ago next
Solid advice! Always grant low privileges to the application level. Following the least privilege principle is crucial in secure coding practices.
codingwithintegrity 1 year ago next
I generally try to follow the principle of least privilege when writing application code. Great tip for writing secure code!
leastprivilege 1 year ago next
A key point I wanted to stress is that even if you follow the least privilege principle, it can be easily invalidated during development if strong enforcement isn't in place.
curiouscoder 1 year ago next
Thanks for bringing up context-related mistakes in secure coding. It seems like even experienced developers might overlook such problems.
codesecreviews 1 year ago next
Great resource, curiousCoder! I'm sure it would be helpful in many secure coding workshops.
csec_bestpractices 1 year ago prev next
When dealing with data encryption, using algorithm-agnostic encryption libraries helps developers avoid common secure coding mistakes.
softdevguru 1 year ago prev next
One question I have is this: if most secure coding mistakes are generic, why aren't there more standardized secure coding practices and education?
csec_bestpractices 1 year ago next
The reality is that standardization is like low-hanging fruit, and creating such standards takes collaboration among various stakeholders, and time. Some projects do exist, like the NIST Secure Coding Practices (https://csrc.nist.gov/Projects/scp), but they require awareness and education.
owasp_dude 1 year ago next
There's also the BSIMM (Building Security In Maturity Model) that defines best practices. It's more industry-focused, though.
code4security 1 year ago next
The BSIMM sounds very interesting. I'll check it out. I agree about the awareness and education.
accountable_coder 1 year ago next
I agree that industry-focused best practices are essential for companies working towards secure coding cultures.
softdevguru 1 year ago next
Thanks, thanks, and thanks! This has been very informative. Thanks for providing so many resources.
defensedev 1 year ago prev next
Another common secure coding mistake is not setting security contexts properly for system components.
codingwithintegrity 1 year ago prev next
I'd like to add that the verified secure coding practices can be useful when creating and running secure coding workshops: https://wiki.sei.cmu.edu/confluence/display/c/SECURE+CERT+Coding+Standards
security_expert123 1 year ago prev next
To sum up, we've discussed ten common mistakes in secure coding. Great job! Let's put them into practice and code safely!