Difference between revisions of "Secure Coding Cheat Sheet"

From OWASP
Jump to: navigation, search
(Concurrancy and Race Conditions)
Line 14: Line 14:
  
 
== User Authentication ==
 
== User Authentication ==
 +
 
Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Utilize_Multi-Factor_Authentication
 
Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Utilize_Multi-Factor_Authentication
  
 
=== Password Complexity ===
 
=== Password Complexity ===
  
For more information on password complexity, please see [https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls].
+
Please see [https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls].
  
 
= Session Management =
 
= Session Management =
  
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
  
 
= Access Control =
 
= Access Control =
  
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  
 
= Input Data Validation =
 
= Input Data Validation =
  
https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
  
 
= Output Encoding =
 
= Output Encoding =
Line 66: Line 67:
 
= Unvalidated Redirects and Forwards Cheat Sheet =
 
= Unvalidated Redirects and Forwards Cheat Sheet =
  
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
  
 
= Common Vulnerabilities =
 
= Common Vulnerabilities =
 
 
  
 
== SQL Injection ==
 
== SQL Injection ==
Line 78: Line 77:
 
== Cross Site Scripting ==
 
== Cross Site Scripting ==
  
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
  
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  
 
== Cross Site Request Forgery ==
 
== Cross Site Request Forgery ==
  
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  
 
== Preventing Malicious Site Framing (ClickJacking) ==
 
== Preventing Malicious Site Framing (ClickJacking) ==
  
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers
+
Please see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers
  
 
== Insecure Direct Object references ==
 
== Insecure Direct Object references ==
  
https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet
+
Please see https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet
  
 
== References ==
 
== References ==

Revision as of 10:26, 8 January 2016

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

The goal of this document is to create high level guideline for secure coding practices. The goal is to keep the overall size of the document condensed and easy to digest. Individuals seeking addition information on the specific areas should refer to the included links to learn more.

How To Use This Document

The information listed below are generally acceptable secure coding practices; however, it is recommend that organizations consider this a base template and update individual sections with secure coding recommendations specific to the organization's policies and risk tolerance.

Secure Coding Policy

Always maintain a secure coding policy. List down the activities that are related to maintenance of secure coding standards (would these standards be technology specific or technology agnostic), feedback of code review output to training, input data validation, output data validation etc

Why should you be having a secure coding policy? It helps in maintaining consistency across organisation and helps in vertical and horizontal scaling of usage of standards for web development projects.

Authentication

User Authentication

Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Utilize_Multi-Factor_Authentication

Password Complexity

Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls.

Session Management

Please see https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Access Control

Please see https://www.owasp.org/index.php/Access_Control_Cheat_Sheet

Input Data Validation

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet

Output Encoding

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Output_Encoding

Secure Transmission / Network Layer security

Please see https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Benefits

File Uploads

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#File_Uploads

Error Handling

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Error_Handling

Logging and Auditing

Please see https://www.owasp.org/index.php/Logging_Cheat_Sheet

Cryptography

Please see https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

Cookie Management

Please see https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies

Secure Deployment

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Secure_Deployment

Unvalidated Redirects and Forwards Cheat Sheet

Please see https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Common Vulnerabilities

SQL Injection

Please see https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Cross Site Scripting

Please see https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

Please see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Please see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Cross Site Request Forgery

Please see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Preventing Malicious Site Framing (ClickJacking)

Please see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers

Insecure Direct Object references

Please see https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet

References

OWASP Cheat Sheets Project Homepage