Essential Secure Coding Practices Every Developer Should Follow
This article presents practical secure coding guidelines—including input escaping, avoiding auto‑increment IDs, minimalist HTTP methods, least‑privilege design, mandatory HTTPS, strong encryption algorithms, and whitelist‑based execution—to help developers embed real‑time security into modern software.
Background
Software security is more critical than ever; embedding security directly into the development process creates multiple checkpoints and improves overall safety. The examples below use Java but apply to any language.
1. Escape User Input
SQL injection is a severe threat where attackers embed malicious queries in input. Properly escaping user‑provided data prevents the database from interpreting it as code.
Risky code:
String query = "SELECT user_id FROM user_data WHERE user_name = '" +
req.getParameter("userID") +
"' and user_password = '" + req.getParameter("pwd") + "'";
try {
Statement statement = connection.createStatement();
ResultSet results = statement.executeQuery(query);
}Secure code:
Codec ORACLE_CODEC = new OracleCodec();
String query = "SELECT user_id FROM user_data WHERE user_name = '" +
ESAPI.encoder().encodeForSQL(ORACLE_CODEC, req.getParameter("userID")) +
"' and user_password = '" +
ESAPI.encoder().encodeForSQL(ORACLE_CODEC, req.getParameter("pwd")) + "'";2. Avoid Auto‑Increment Sequences
Predictable IDs let attackers enumerate resources. Adding randomness mitigates this risk.
Risky code:
String sqlIdentifier = "select TESTING_SEQ.NEXTVAL from dual";
PreparedStatement pst = conn.prepareStatement(sqlIdentifier);
synchronized(this) {
ResultSet rs = pst.executeQuery();
if (rs.next())
long myId = rs.getLong(1);
}Secure code:
String sqlIdentifier = "select TESTING_SEQ.NEXTVAL from dual";
PreparedStatement pst = conn.prepareStatement(sqlIdentifier);
synchronized(this) {
ResultSet rs = pst.executeQuery();
if (rs.next())
long myId = rs.getLong(1) + UUID.random();
}3. Adopt Minimalist HTTP Methods
Expose only the necessary HTTP verbs. For existence checks, use HEAD instead of GET to reduce the attack surface.
Risky request:
http://localhost:8080/User/id/1Secure request:
http://localhost:8080/User/id/1
HEAD4. Principle of Least Privilege
Assign API permissions based on role requirements; avoid super‑user accounts that can access all data.
5. Enforce HTTPS Everywhere
Never serve sites or APIs over plain HTTP; browsers will warn users and expose data to interception.
6. Reject Weak or Insecure Cryptographic Algorithms
Algorithms such as SHA‑1, 1024‑bit RSA/DSA, 160‑bit ECDSA, 80/112‑bit 2TDEA, and MD5 are considered broken and should be avoided.
7. Whitelist Executable Code
When user‑provided input may be executed (e.g., shell commands), maintain a whitelist of allowed commands and properly escape inputs.
Example: To list a directory, only allow "ls /dir" after validating against the whitelist.
Conclusion
By adopting these secure coding practices—encryption, input validation, whitelisting, least‑privilege access, and always using HTTPS—development teams can significantly reduce the risk of security threats in their applications.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
21CTO
21CTO (21CTO.com) offers developers community, training, and services, making it your go‑to learning and service platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.