Basic principles of secure programming

This list is not in any way complete or comprehensive. If anything, it should be seen as just the base of it. As a developer, regardless of how experienced you are, you must be aware of security concepts and practices, and you must incorporate in your codes, while being aware and communicating to your peers covering other parts of your software (devops please).

Sadly, even in 2020, there are developers who skip or are not aware of this, thinking that, is someone else’s responsibility or simply that their system won’t raise any interest to any malicious actors. 

Here is my list of basic security principles:

1. Never trust data from your users.
   It doesn’t matter if they are end users, logged users or fellow administrator users. 
2. Validate everything right as close to the system edge.
3. Don’t assume calls from your backend always come from your frontend.
4. Store only clean, validated data.
   Regardless of its type (yes, even long free text content).
5. Never assume a language or a library comes with added security.
   This being said, I am not saying you shouldn’t use libraries or add-ons. But be skeptical and don’t assume the added security.
6. Assume secrets will become known. Mitigate for it.
   This refers to passwords, API keys or any other “secret” questions or configurations. configurations. Don’t take it likely and please don’t keep them in files easily accessible in your application.
7. Whatever you, somebody will phish out a user password from a user.
   You can’t prevent this in your code. Explore added security with your user authentication (2FA) and authorization (user access levels), to ensure everyone can only do what they are supposed to, nothing more.
8. Tell the attacker nothing useful.
   Stack traces are for developers, not public error messages.
9. Add Monitoring tools that tell you when you are being attacked. 
   Audit log what the attacker is doing so you can replicate and fix.
10. Security happens everywhere, not a single point. 

It’s not only your responsibility, while it is part of your job, whether you are a newbie, a frontend developer or a devops engineer.

Hope you find these helpful as a base, to start with and add on, for each line of code you write, regardless of the scope or size.