Beginner Information Security Tips (Page 1)

Here are some basic concepts for security:

• Document features.
• Never trust user input.
• Web application firewalls are good, but don't just use them as a bandaid on top of bad code.
• Disable debug features in production.
• Perform pen testing.
• Use proper exception handling and logging.
• Don't just save logs. Review them. Manual review is pretty much impossible, but use something that analyzes logs to look for suspicious events and behavior.
• Make sure file octal permissions are correct.
• Install software updates on internet-facing systems. Old software will have known vulnerabilities.
• Perform proper monitoring (to catch things like reverse shells or exfiltration).
• Never reuse passwords.
• Don't have overly-permissive regular expression.
• Consider using kernel security modules.
• Always remember the principle of least privilege.
• Choose tools that make it easy to write secure code. For example, Rust makes memory safety easier than C++.
• Make sure you have proper memory management, otherwise you can encounter overflows or double free issues. Memory security features like ASLR are also good.
• If you're using software you didn't make (example: a web server or database), make sure you read about securing it properly first.
• If you don't know how to secure a feature you're planning on exposing to the internet, don't do it.
• Be aware of APTs, 0-days, and complicated exploits, but make sure you don't miss low-hanging fruit.
• What you want your code to do and what it actually does are two different things.
• Remember that security is an ongoing process and never absolute.
• Try to keep things simple. Complexity is the enemy of security.
• Perform proper unit, integration, and regression testing.
• Don't hardcode credentials.
• Never store passwords in plaintext.
• Don't assume things will go as planned.