What should every programmer know about security?

Question

Closed. This question is opinion-based. It is not currently accepting answers.

Answer 1

Principles to keep in mind if you want your applications to be secure:

• Never trust any input!
• Validate input from all untrusted sources - use whitelists not blacklists
• Plan for security from the start - it's not something you can bolt on at the end
• Keep it simple - complexity increases the likelihood of security holes
• Keep your attack surface to a minimum
• Make sure you fail securely
• Use defence in depth
• Adhere to the principle of least privilege
• Use threat modelling
• Compartmentalize - so your system is not all or nothing
• Hiding secrets is hard - and secrets hidden in code won't stay secret for long
• Don't write your own crypto
• Using crypto doesn't mean you're secure (attackers will look for a weaker link)
• Be aware of buffer overflows and how to protect against them

There are some excellent books and articles online about making your applications secure:

• Writing Secure Code 2nd Edition - I think every programmer should read this
• Building Secure Software: How to Avoid Security Problems the Right Way
• Secure Programming Cookbook
• Exploiting Software
• Security Engineering - an excellent read
• Secure Programming for Linux and Unix HOWTO

Train your developers on application security best pratices

Codebashing (paid)

Security Innovation(paid)

Security Compass (paid)

OWASP WebGoat (free)