Secure Code Development Best Practices

The cost of fixing security vulnerabilities increases dramatically the later they’re discovered in the development process. By integrating security practices throughout the software development lifecycle (SDLC), organizations can build more secure applications while saving time and resources.

The Cost of Insecure Code

Security vulnerabilities can lead to:

• Data breaches exposing sensitive customer information
• Financial losses from fraud and theft
• Regulatory penalties and compliance violations
• Damage to brand reputation and customer trust
• Business disruption and recovery costs

According to industry research, fixing a vulnerability during coding costs approximately 30 times less than addressing it in production. This stark difference underscores the importance of “shifting security left” in the development process.

Integrating Security in the SDLC

1. Requirements Phase

Security must be part of the initial application planning:

• Define security requirements alongside functional requirements
• Consider regulatory and compliance obligations (GDPR, HIPAA, PCI-DSS)
• Perform threat modeling to identify potential risks
• Establish security acceptance criteria for features

Example threat modeling approach (STRIDE):

Threat Type	Description	Example
Spoofing	Impersonating something or someone	Session hijacking
Tampering	Modifying data/code	SQL injection
Repudiation	Claiming not to have performed an action	Disabling audit logs
Information Disclosure	Exposing information to unauthorized users	Path traversal
Denial of Service	Making a system/application unavailable	Resource exhaustion
Elevation of Privilege	Gaining higher access rights	Broken access control

2. Design Phase

Build security into your application architecture:

• Follow the principle of least privilege
• Implement defense-in-depth strategies
• Design proper authentication and authorization mechanisms
• Plan for secure data handling and encryption
• Create security design patterns for reuse

“Security is not a feature; it’s a property of the entire system.”

3. Development Phase

Secure coding practices during implementation:

Input Validation

Never trust user input. Validate all inputs for:

• Type (string, integer, etc.)
• Length constraints
• Format (using regular expressions)
• Range checking for numerical values

// BAD - No input validation
function processUserData(userInput) {
  executeQuery("SELECT * FROM users WHERE name = '" + userInput + "'");
}

// GOOD - With input validation
function processUserData(userInput) {
  if (!/^[a-zA-Z0-9]{1,50}$/.test(userInput)) {
    throw new Error("Invalid input");
  }
  executeQuery("SELECT * FROM users WHERE name = ?", [userInput]);
}

Output Encoding

Encode output based on the context:

• HTML encoding for web pages
• JavaScript encoding for inclusion in scripts
• URL encoding for parameters
• CSS encoding for styles

// BAD - Direct output
document.getElementById("userProfile").innerHTML = "Welcome, " + userName;

// GOOD - With encoding
import { encodeForHTML } from "encoding-library";
document.getElementById("userProfile").innerHTML =
  "Welcome, " + encodeForHTML(userName);

SQL Injection Prevention

Use parameterized queries or ORMs instead of string concatenation:

# BAD - String concatenation
cursor.execute(f"SELECT * FROM users WHERE username = '{username}'")

# GOOD - Parameterized query
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

Authentication & Authorization

Implement robust authentication:

• Use strong, proven authentication libraries
• Enforce multi-factor authentication for sensitive functions
• Implement proper session management
• Store credentials securely (never in plaintext)

// BAD - Password storage
const user = {
  username: "alice",
  password: "P@ssw0rd123", // Plaintext!
};

// GOOD - Password hashing
import bcrypt from "bcrypt";
const saltRounds = 12;
const passwordHash = await bcrypt.hash(password, saltRounds);

For authorization:

• Implement access control checks at each layer
• Use role-based access control (RBAC)
• Verify authorization on every request
• Don’t rely on client-side security measures

Secure Dependencies

Manage third-party dependencies carefully:

• Regularly audit and update dependencies
• Use lockfiles to pin dependency versions
• Implement vulnerability scanning for dependencies
• Have a process for addressing vulnerable dependencies

4. Testing Phase

Validate your security implementations:

• Perform security-focused code reviews
• Conduct static application security testing (SAST)
• Implement dynamic application security testing (DAST)
• Run interactive application security testing (IAST)
• Perform penetration testing for critical applications

Example security testing pipeline:

# Example GitLab CI pipeline with security checks
stages:
  - build
  - test
  - security

security_sast:
  stage: security
  script:
    - run-sast-scanner

security_dependency_check:
  stage: security
  script:
    - run-dependency-scanner

security_dast:
  stage: security
  script:
    - deploy-test-environment
    - run-dast-scanner

5. Deployment Phase

Ensure secure application deployment:

• Use infrastructure as code with security configurations
• Implement secure CI/CD pipelines
• Sign code and verify signatures
• Use secure deployment patterns (canary, blue/green)
• Configure appropriate security headers and settings

Important web security headers:

# Example Nginx security headers
add_header Content-Security-Policy "default-src 'self';" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

6. Maintenance Phase

Ensure ongoing security posture:

• Implement security monitoring and logging
• Have a vulnerability disclosure process
• Conduct regular security assessments
• Maintain incident response procedures
• Apply security patches promptly

DevSecOps Approach

DevSecOps integrates security throughout the DevOps pipeline:

1. Automate security checks in CI/CD pipelines
2. Create security champions within development teams
3. Shift left by moving security testing earlier in the development process
4. Implement security as code through policy-as-code and compliance-as-code
5. Continuously monitor applications for security issues

Secure Coding Guidelines by Language

Different programming languages have specific security considerations:

JavaScript/TypeScript

• Use Content Security Policy (CSP)
• Be cautious with eval() and dynamic code execution
• Protect against XSS with proper context-aware encoding
• Use security linters (ESLint with security plugins)

Python

• Avoid pickle for untrusted data
• Be cautious with eval(), exec(), and os.system()
• Use virtual environments and lock dependencies
• Follow the Bandit security linter recommendations

Java/Kotlin

• Use the Java Security Manager
• Implement proper serialization controls
• Follow OWASP ASVS guidelines for Java applications
• Be careful with reflection and classloading

C/C++

• Use modern C++ features and libraries
• Avoid common memory corruption issues
• Implement proper memory management
• Use static analysis tools specifically for C/C++

Building a Security-Focused Culture

Technical measures alone aren’t enough—organizations need a security culture:

• Provide secure coding training for developers
• Recognize and reward secure development practices
• Make security requirements visible and accessible
• Establish clear security guidelines and standards
• Create a blame-free environment for reporting issues

Conclusion

Secure coding isn’t an add-on feature but an integral part of software development. By implementing these best practices throughout your SDLC, you can significantly reduce your application’s attack surface and build more resilient software.

Remember that security is a continuous process, not a one-time project. As threats evolve, so should your secure coding practices and security testing methodologies.

To learn more about implementing secure coding practices in your organization or for a security assessment of your applications, contact our AppSec team at Deep Blue Fortress.