- Use Demilitarized Zones b/w Appserver & Webserver by adding a proxy server/firewall infornt of AppServer & behind Webserver i.e. b/w Appserver & WebServer, so that we can enforce that all the request coming to AppServer must be from the proxy server "IP"/firewall "IP" so no outside direct access to Appserver.
- In Deserialization scenario, use DTO to avoid inheriting behavior. We only want data not any behavior.
- Use SSL to prevent corruption of data b/w client & server. It makes secure by encrypting the data
- Do not log un sanitized(untrusted) data. As attacker may inject information to mislead. Use Regex pattern if possible for sanity check.
- Avoid providing the mutable objects instead copy & maintain the cloned object inside API method for using, as otherwise malicious API user can alter the object.
- Provide only abstract info. while validation failure messages are displayed(Eg: always return Invalid ID/PWD instead of returning as Invalid ID.]
- Methods performing security check should be private & not overridable.
Mainly serves as my backup reference on programming & technology. Plus some random thoughts
- HOME
- PROGRAMMING
- TECHNOLOGIES
- GENERAL
- ABOUT ME
Secure Coding Practices
2022-03-13
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment