Scribd
Upload
31 views

KK What Should Every Programmer Know About Security

Every programmer should have a minimum knowledge of security principles to build secure applications. This includes never trusting inputs, validating all untrusted sources, planning for security from the start, keeping it simple to minimize risks, and using defense in depth. Some recommended resources to learn about application security are the books "Writing Secure Code 2nd Edition" and "Building Secure Software" as well as online documentation on secure programming practices.

Uploaded by

Smith F. John
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
31 views

KK What Should Every Programmer Know About Security

Every programmer should have a minimum knowledge of security principles to build secure applications. This includes never trusting inputs, validating all untrusted sources, planning for security from the start, keeping it simple to minimize risks, and using defense in depth. Some recommended resources to learn about application security are the books "Writing Secure Code 2nd Edition" and "Building Secure Software" as well as online documentation on secure programming practices.

Uploaded by

Smith F. John
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

What should every programmer know

about security?
up

I am an IT student and I am now in the 3rd year in university. Until now we've
been studing a lot of subjects related to computers in general (programming,
algorithms, computer architecture, maths, etc).

vote355d
own vote
565
favorite

I am very sure that nobody can learn every thing about security but sure there is
a "minimum" knowledge every programmer or IT student should know about it
and my question is what is this minimum knowledge?
Can you suggest some e-books or courses or anything can help to start with this
road?
security

shareimprove this question

edited Jul 3 '12 at 16:14

community wiki
5 revs, 3 users 50%
M.H

Quite similar to stackoverflow.com/questions/325862/ Thomas May 8 '10 at 12:21

9
2

Rule #1: Never trust user's input. Not even if it's your Grandmother Anthony Forloney

..and this thread also has the great information - stackoverflow.com/questions/72394/


at 12:28
my question isn't only about programmers and their mistakes,also about IT and computer science
students Mohammad AL Hammod May 8 '10 at 12:28

Watch your error messages. While you want to be user friendly, the difference between "This account does no
and "The password is invalid" can be dangerous in some cases. Michael Mior May 8 '12 at 2:26

show 1 more comment

16 Answers
activeoldest

votes

up vote475down
vote
accepted

Principles to keep in mind if you want your applications to be secure:

Never trust any input!


Validate input from all untrusted sources - use whitelists not
blacklists
Plan for security from the start - it's not something you can
bolt on at the end
Keep it simple - complexity increases the likelihood of
security holes
Keep your attack surface to a minimum
Make sure you fail securely

Use defence in depth


Adhere to the principle of least privilege
Use threat modelling
Compartmentalize - so your system is not all or nothing
Hiding secrets is hard - and secrets hidden in code won't stay
secret for long
Don't write your own crypto
Using crypto doesn't mean you're secure (attackers will look
for a weaker link)

Be aware of buffer overflows and how to protect against them


There are some excellent books and articles online about making your
applications secure:

Writing Secure Code 2nd Edition - I think every


programmer should read this
Building Secure Software: How to Avoid Security Problems
the Right Way
Secure Programming Cookbook
Exploiting Software
Security Engineering - an excellent read
Secure Programming for Linux and Unix HOWTO

You might also like