Secure Coding
Development practices preventing security vulnerabilities from design, including input validation, error handling, and defense-in-depth principles.
What it is
Secure coding are development practices preventing security vulnerabilities from code design. It's not just using scanning tools — it's writing code that's secure by construction.
OWASP Top 10 (2021)
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable Components
- Authentication Failures
- Software Integrity Failures
- Logging Failures
- Server-Side Request Forgery
Principles
- Validate inputs: never trust user data
- Sanitize outputs: escape data according to context
- Least privilege: give only necessary permissions
- Defense in depth: multiple protection layers
- Fail securely: errors shouldn't expose information
Specific practices
| Vulnerability | Insecure code | Secure code |
|---|---|---|
| SQL Injection | query("SELECT * FROM users WHERE id=" + id) | query("SELECT * FROM users WHERE id=$1", [id]) |
| XSS | innerHTML = userInput | textContent = userInput or sanitize with DOMPurify |
| Path Traversal | readFile("/uploads/" + filename) | Validate that filename doesn't contain .. |
| Hardcoded secrets | const key = "sk-abc123" | const key = process.env.API_KEY |
| Insecure crypto | md5(password) | bcrypt.hash(password, 12) |
General rules:
- Use prepared statements (don't concatenate SQL)
- Escape HTML to prevent XSS
- Validate and sanitize file uploads
- Don't expose stack traces in production
- Use proven crypto libraries (don't implement your own)
Why it matters
Security is not added at the end — it is built from the code. Secure coding practices prevent vulnerabilities before they reach production, where the cost of remediation is orders of magnitude higher.
References
- OWASP Top 10 — Most common vulnerabilities.
- OWASP Cheat Sheets — Practical guides.
- CWE Top 25 — MITRE, 2023. Top 25 most dangerous software weaknesses.