Questions tagged [secure-coding]

Topics related to coding patterns and best practices for avoiding common bugs and security holes.

Failure to adhere to secure coding practices may result in various classes of vulnerabilities such as buffer overflows, integer overflow or wraparound, command-injection, improper sanitation of data, and more. Requirements and best practices for secure coding will differ across programming languages. Manual code reviews and automated evaluation using tools for static or dynamic code analysis can help improve code quality and promote more secure coding.

211 questions
6
votes
2 answers

WhiteSpaces in .splintrc preprocessor directive -D

I want to run splint on some of my sources within a debian stable environment. I need to give the preprocessor directive -DUINT16_T='unsigned short' and as I need that very often. I'd like to place it inside my .splintrc file. When running from…
5
votes
4 answers

how to redirect page to https in php?

i have a login form:
...
i would like the login.php page to redirect to using https. i don't want to send the user to https://.../login.php because they might change the link. but i want to do a…
Patrioticcow
  • 26,422
  • 75
  • 217
  • 337
5
votes
3 answers

How can I securely erase a file?

Is there a Gem or means of securely erasing a file in Ruby? I'd like to avoid external programs that may not be present on the system. By "secure erase" I'm referring to overwriting the file contents.
Paul R Rogers
  • 914
  • 1
  • 9
  • 19
5
votes
1 answer

char[] or StringBuilder for passwords?

So, because Strings are immutable, we use char[] instead of String to store passwords so that we can erase the characters when we're done with it. Is StringBuilder (or StringBuffer) as safe as a char[] in this case because one can change to value of…
Michael
  • 13,838
  • 18
  • 52
  • 81
5
votes
1 answer

Checkmarx scan - how to fix Missing_HSTS_Header warning?

after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json"). const app…
Jozef
  • 479
  • 1
  • 9
  • 36
5
votes
6 answers

Secure Coding Guidelines for Python

Looking at the CERT Secure Standards (Example: https://www.securecoding.cert.org), there are specific standards, with great examples of what good and bad code looks like, for C, C++, Java, even Perl but not Python. Are there any Python specific…
rtphokie
  • 609
  • 1
  • 6
  • 14
5
votes
1 answer

Secure API Key Android

I am currently working on a project which uses Blogger API from Google. Day before yesterday (saturday) someone attacked my application and grab the API Key, My daily limit for accessing posts is 100,000 (100K/24 hrs). I hit limit on Saturday (I…
Nitin Misra
  • 4,472
  • 3
  • 34
  • 52
4
votes
2 answers

CheckMarx Medium severity warning - HttpOnly cookie at Startup

CheckMarx is flagging an error which looks like a false positive to me. Our application is written in C# and uses ASP.NET Core. The error is: The web application's Startup method creates a cookie Startup, at line 22 of Startup.cs, and returns it in…
sashoalm
  • 75,001
  • 122
  • 434
  • 781
4
votes
1 answer

Is limitation of accessibility for classes and their members a valid practice for more secure code?

According to Oracle Secure Coding Guideline Guideline 4-1/EXTEND-1 and Guideline 4-5/EXTEND-5 you should limit the accessibility of classes and their members as a security control against malicious override from an attacker. Design classes and…
4
votes
3 answers

Are there any coding guidelines for the Android platform that focus on security?

Are there any good coding guidelines for the Android platform that focus on security? Thanks
Dan Largo
  • 1,075
  • 3
  • 11
  • 25
4
votes
0 answers

Spring boot controller how to sanitize user input (request dto) in order to pass a Checkmarx

I have sample Spring boot controller code like followings: @Slf4j @RestController public class PersonController { private final PersonService PersonService; public PersonController(PersonService PersonService) { this.PersonService =…
ttt
  • 3,934
  • 8
  • 46
  • 85
4
votes
0 answers

Secure Coding Guidelines

There is Secure Coding Guidelines for the Java Programming Language Version 4.0 Is there something similar for scala? If not, can you suggest Scala specific ones?
user482745
  • 1,165
  • 1
  • 11
  • 31
3
votes
1 answer

Require compiler to emit branchless/constant-time code

In cryptography, any piece of code that depends on secret data (such as a private key) must execute in constant time in order to avoid side-channel timing attacks. The most popular architectures currently (x86-64 and ARM AArch64) both support…
swineone
  • 2,296
  • 1
  • 18
  • 32
3
votes
1 answer

segment fault 11 when install ruby 3

I need to install ruby 3.0.0 on my machine to upgrade my ROR application gems, I use RVM as version management but when I write RVM install 3.0.0 I have this error Error running '__rvm_make -j4', please read…
Hadii Varposhti
  • 416
  • 4
  • 22
3
votes
1 answer

A Path Traversal vulnerability in asp.net core

I already tried these solutions Does my code prevent directory traversal in C#? Is Path Traversal Vulnerabilities possible in my below code? How to prevent Path Traversal in .NET How to avoid Directory Traversal in my code But still, Checkmarx…
gaurav bhavsar
  • 2,033
  • 2
  • 22
  • 36
1
2
3
14 15