Question

What kind of features should a programmer build into systems for your company in order to design for security? Think about the products that your company produces. Are there products that you feel did a good job of ensuring security during setup? Are there products you use that have demonstrated bad security design? How?

Answer 1

With our modern dependence on technology and security, nobody would dare to make this statement. Everyone knows how crucial security is and how it must be embedded into everything an organization does.

A strong security culture not only interacts with the day-to-day procedures, but also defines how security influences the things that your organization provides to others. Those offerings may be products, services, or solutions, but they must have security applied to all parts and pieces. A sustainable security culture is persistent. It is not a once-a-year event, but embedded in everything you do.

1. Instill the concept that security belongs to everyone.

2. Focus on awareness and beyond.

3. If you do not have a secure development lifecycle, get one now.

4. Build security community.

This things should be done by a programmer.

• White list when you can
• Black list when you can't whitelist
• Keep your contract as restrictive as possible
• Make sure you alert about the possible attack
• Avoid reflecting input back to a user
• Reject the web content before it gets deeper into application logic to minimize ways to mishandle untrusted data or, even better, use your web framework to whitelist input

Although this section focused on using input validation as a mechanism for protecting your form handling code, any code that handles input from an untrusted source can be validated in much the same way, whether the message is JSON, XML, or any other format, and regardless of whether it's a cookie, a header, or URL parameter string. Remember: if you don't control it, you can't trust it. If it violates the contract, reject it!