Updated on 2025-05-22 GMT+08:00

SEC06-02 Establishing Secure Coding Specifications

Application security involves multiple phases, including requirements analysis, design, implementation, and deployment, among which implementation is an important phase. Establishing secure coding specifications helps the development team write more secure and high-quality code, reducing or even eliminating security risks caused by code errors.

  • Risk severity

    High

  • Key strategies
    • Release secure coding specifications for common programming languages used by the development team. The general secure coding specifications should include program input verification, program output coding, identity authentication, access control, secure encryption and decryption algorithms, exception handling, I/O operations, file uploads, serialization, and output formatting.
    • For languages used in web application scenarios, such as Java and Python, consider secure session management and SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) prevention.
    • For the C/C++ language, consider more about security risks such as buffer overflow, command injection, unsafe function usage, memory leaks, pointer manipulation errors, and array read/write boundary violations.
    • For JavaScript, consider more about security risks such as cross-site scripting (XSS) attacks.