Cyber Security – Software Developers

Build security in from the start. These tips help reduce common vulnerabilities and strengthen your delivery pipeline.

Top tips for secure software

  1. Input handling — validate on the server; prefer allow-lists; never trust client-side checks alone.
  2. Use parameterised queries/ORM — prevent SQL/NoSQL injection; avoid string-built queries.
  3. Authentication & sessions — use well-maintained libraries; enforce MFA for admin users; set secure cookie flags; short session lifetimes.
  4. Authorisation — check permissions server-side on every action; avoid relying on hidden fields or UI state.
  5. Secrets management — keep keys, API tokens and connection strings out of code; use vaults or platform secrets; rotate regularly.
  6. Dependency hygiene — pin versions; use SCA tools; update quickly on critical CVEs; prefer reputable packages.
  7. Code scanning — enable SAST/linters in CI; add DAST for web endpoints; treat “high” findings as blockers.
  8. Logging & observability — structured logs with unique IDs; no sensitive data; centralise and alert on anomalies.
  9. Rate limiting & abuse protections — throttling, CAPTCHA as needed, lockouts with care (avoid easy DoS).
  10. Secure file handling — validate MIME/extension, size limits, store outside web root, scan uploads.
  11. Cryptography — use platform libs; modern TLS; strong password hashing (e.g., Argon2/bcrypt/scrypt) with salt.
  12. Content security — Content Security Policy (CSP), output encoding, same-site cookies; protect against XSS/CSRF.
  13. Containers & cloud — minimal base images, run as non-root, scan images; least-privilege IAM roles; separate envs.
  14. Build pipeline security — MFA on Git hosting; branch protection; code reviews; signed commits/tags; protect CI secrets.
  15. SBOM & release integrity — generate an SBOM; sign artefacts; keep a reproducible build path.
  16. Secure defaults — deny by default; explicit CORS; tight timeouts; safe error messages.
  17. Privacy & data minimisation — collect only what you need; encrypt at rest/in transit; define retention.
  18. Incident playbooks — rollback strategy, feature flags, kill-switches, and a runbook for hotfixes.
  19. Document and automate — security checklists in PR templates; golden pipelines; template repos with baselines.

Useful references

Security review for your repo
Advice for Businesses
Advice for Home Users