Security mistakes developers usually make
2 min readApr 30, 2021
Below are some common mistakes developers make while development. Most of these mistakes will not impact the functionality of the application so tendency is to make the mistake subconsciously. Security should be by design and it is not something we should integrate after the development.
OWASP guidelines should be taken as high priority in addition to this list.
- Writing sensitive information such as passwords in the paper or sticky notes (be it on your wooden desk, or OS desktop)
- Sharing credentials between team members
- Hard-coding sensitive information as plain text, including passwords in the application in configuration files, databases and comments
- Not encrypting the database
- Use of untrusted code from public internet forums without proper reviews and corrections
- Not encrypting and authorizing the communication channels such as API
- Not following the principle of least privileges
- Exposing server ports to public
- Not enforcing password policies (strong password, expiry policy, multi-factor-authentication)
- Not educating oneself on the secure coding practices
- Writing SQL in application code, instead of using stored procedures or ORM libraries
- Not validating/sanitizing user input values at server side
- Not having a session expiry policy
- Giving password hints on unsuccessful login attempts
- Not using custom exception pages, instead expose the debug messages to user
- No logging and monitoring
- Not making use of cryptography libraries
- Not writing unit testing code
- Not considering strong passwords, or modern captcha methods
- Not Automating static code analysis tools such as SonarQube
- Using untrusted sources for downloading libraries