What should every programmer know about security?

up vote355down votefavorite565I am an IT student and I am now in the 3rd year in university. Until now we've been studing a lot of subjects related to computers in general (programming, algorithms, computer architecture, maths, etc).I am very sure that nobody can learn every thing about security but sure there is a "minimum" knowledge every programmer or IT student should know about it and my question is what is this minimum knowledge?Can you suggest some e-books or courses or anything can help to start with this road?securityshareimprove this questioneditedJul 3 '12 at 16:14community wiki

5 revs, 3 users 50%M.H

5

Quite similar tostackoverflow.com/questions/325862/ThomasMay 8 '10 at 12:21

92

Rule #1: Never trust user's input. Not even if it's your GrandmotherAnthony ForloneyMay 8 '10 at 12:24

2

..and this thread also has the great information -stackoverflow.com/questions/72394/Sripathi KrishnanMay 8 '10 at 12:28

my question isn't only about programmers and their mistakes,also about IT and computer science studentsMohammad AL HammodMay 8 '10 at 12:28

1

Watch your error messages. While you want to be user friendly, the difference between "This account does not exist" and "The password is invalid" can be dangerous in some cases.Michael MiorMay 8 '12 at 2:26

show1more comment

16 Answersactiveoldestvotesup vote475down voteacceptedPrinciples to keep in mind if you want your applications to be secure: Never trust any input! Validate inputfrom all untrusted sources - use whitelists not blacklists Plan for security from the start - it's not something you can bolt on at the end Keep it simple - complexity increases the likelihood of security holes Keep yourattack surfaceto a minimum Make sure youfail securely Usedefence in depth Adhere to the principle ofleast privilege Usethreat modelling Compartmentalize- so your system is not all or nothing Hiding secrets is hard - and secrets hidden in code won't stay secret for long Don't write your own crypto Using crypto doesn't mean you're secure (attackers will look for a weaker link) Be aware ofbuffer overflowsand how to protect against themThere are some excellent books and articles online about making your applications secure: Writing Secure Code 2nd Edition- I think every programmer should read this Building Secure Software: How to Avoid Security Problems the Right Way Secure Programming Cookbook Exploiting Software Security Engineering- an excellent read Secure Programming for Linux and Unix HOWTO