Secure Coding

What it is

Secure coding are development practices preventing security vulnerabilities from code design. It's not just using scanning tools — it's writing code that's secure by construction.

OWASP Top 10 (2021)

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable Components
7. Authentication Failures
8. Software Integrity Failures
9. Logging Failures
10. Server-Side Request Forgery

Principles

• Validate inputs: never trust user data
• Sanitize outputs: escape data according to context
• Least privilege: give only necessary permissions
• Defense in depth: multiple protection layers
• Fail securely: errors shouldn't expose information

Specific practices

Vulnerability	Insecure code	Secure code
SQL Injection	query("SELECT * FROM users WHERE id=" + id)	query("SELECT * FROM users WHERE id=$1", [id])
XSS	innerHTML = userInput	textContent = userInput or sanitize with DOMPurify
Path Traversal	readFile("/uploads/" + filename)	Validate that filename doesn't contain ..
Hardcoded secrets	const key = "sk-abc123"	const key = process.env.API_KEY
Insecure crypto	md5(password)	bcrypt.hash(password, 12)

General rules:

• Use prepared statements (don't concatenate SQL)
• Escape HTML to prevent XSS
• Validate and sanitize file uploads
• Don't expose stack traces in production
• Use proven crypto libraries (don't implement your own)

Why it matters

Security is not added at the end — it is built from the code. Secure coding practices prevent vulnerabilities before they reach production, where the cost of remediation is orders of magnitude higher.

References

• OWASP Top 10 — Most common vulnerabilities.
• OWASP Cheat Sheets — Practical guides.
• CWE Top 25 — MITRE, 2023. Top 25 most dangerous software weaknesses.