Simple Secure Coding Checklist

Owned by Sherif Koussa
Last updated: Jan 09, 2015
2 min read

 

The following checklist identifies basic security issues that should be checked at every patch check-in. This checklist represents first-line security control against vulnerable code making it to production. This is considered a starting point and the community is encouraged to get involved to improve this list.

Scenarios where this checklist could be used:

a. Review another developer's patch against secure coding best practices.

b. Review own patch against secure coding best practices.

c. Retroactively review a code module against secure coding best practices.

Secure Coding Checklist:

1- Contextual encoding is applied:

Ensure that all dynamic data is properly encoded to prevent cross-site scripting attacks.

Code Review Tasks:

    • Ensure that encoding is properly done using the correct context.
    • Ensure that data is properly quoted using double quotes.

2- Sanitize user data:

Ensures that user-supplied data is properly sanitized to prevent cross-site scripting and injection attacks.

Code Review Tasks:

    • Ensure that data retrieved from the QueryString, Header, Post Parameters, and Cookies is properly sanitized using a whitelist.

3- Use parameterized SQL statements:

Ensures that SQL statements are securely constructed to prevent SQL injection attacks.

Code Review Tasks:

    • Ensure that all SQL statements in the patch are parameterized, both for user-supplied data and for data loaded from other sources (e.g. database, files, etc)

4- File Upload/Download:

Ensures that proper procedures have been followed to prevent path manipulation attacks and unauthorized attempts to access the file system.

Code Review Tasks:

    • Restrict accepted file types to avoid dangerous extensions like .bat or .exe
    • It is preferable to use system generated filenames if files are to be saved locally. 
    • If this is not possible, then make sure to validate the file name using a whitelist, make sure to retrieve the file name only, useful routines to use is File.getName()
    • Validate the file size to avoid denial of service attacks.
    • Upon file download operations; ensure that the path can't be controlled by the user.

5- Forms should be protected with a token:

Ensures that proper procedures have been followed to prevent cross-site request forgery (CSRF) attacks.

Code Review Tasks:

    • Actionable requests must be protected using an anti-CSRF token. Actionable requests are requests which will result in data update, delete, insert, etc.

6- Check authentication status if appropriate:

Ensures that proper checks have been made to prevent insufficient authentication attacks.

Code Review Tasks:

    • For all the files in the patch. Ensure that authentication status is checked.

7- Check authorization status if appropriate:

Ensures that proper checks have been made to prevent unauthorized data access.

Code Review Tasks:

    • For all the files in the patch. Ensure that code exists to check the role of the current user if appropriate.

8- The patch does not perform a redirect based on user-controllable data:

Ensures that proper checks have been made to prevent open-redirects and HTTP splitting attacks.

Code Review Tasks:

    • Ensure that the code does not perform redirect or forward operation using data retrieved from the request.

9- The patch does not disable any security configuration accidentally:

Ensures that proper controls are in place to prevent against insecure configuration issues.

Code Review Tasks:

    • Ensure that no configurations have been turned off accidentally.