This note is about designing and creating software with exceptionally good data security. Related to web server exploits, cryptography, web authentication and penetration testing. This note is more about general software security.

Make maintaining data security a role. One developer should be assigned as the data security specialist, someone who is interested in software security in general. Helps to integrate security into the entire software development lifecycle.

Use accepted security features instead of inventing your own. Seriously, if you are not full-time security expert, do not even think implementing security related features yourself. Always use mature and tested algorithms and libraries. When building software, only consider using open source third party code. Also double check the source code if not mainstream.

Do not use hard-coded credentials. Hard coding a secret password or key into your code is bad because they are hard to change. Always store passwords, keys and other credentials outside of the code in a strongly encrypted configuration file or database.

Protect your configuration files. Your configuration files should be as well protected as the source code. Configuration files usually contain passwords and might help attackers to penetrate your system.

Analyse your code. Consider using static code analysis for security as humans tend to miss out all the small details.

Maintain control over all of your inputs. Make sure you sanitize all user provided inputs. Do not give external domains unnecessary authorization or visibility.

Maintain control over all of your outputs. Do not give out any information that might help attackers to crack your system.

Include solid authentication. Always consider using external libraries and framework for authentication.

Authorization is different form authentication. Even if user is authentic, you need to confirm that the user has the privileges to use a feature. For example, User 1 should not be allowd to transfer money from User 2.

Restrict use of dangerous file types. When allowing users to include external files, limit types that can be used. For example, if users can upload images to a site, it should not be possible to upload a php-file and launch it.

Encryption your sensitive data. When you transfer data over unsecure line, encrypt your data. When you store sensitive data, encrypt your data. When you save credentials on user's machine (e.g. cookie), encrypt your data. Basically, you have sensitive data that is not currently being used, it should be encrypted.

Avoid mixing secure and in-secure content. A problem in web sites where the whole site could as well be behind SSL. Consider applying HTTP Strict Transport Security (HSTS) on new web sites. Do not cache sensitive content on browsers.

Sources

• http://cwe.mitre.org/top25/?2011