Draft – Under Active Development
This page is a living document and is under active development. Content will be updated frequently as threats evolve, development practices mature, and feedback is incorporated. Developers should expect guidance to change and improve over time.
OWASP Core Secure Coding Principles
- Validate All Input: Treat all external input as untrusted.
- Encode All Output: Use context‑aware encoding.
- Least Privilege: Minimize access for users, code, and services.
- Authentication & Authorization: Centralized and consistent.
- Fail Securely: Errors must not leak internal details.
- Defense in Depth: Assume individual controls will fail.
Language‑Specific Considerations
JavaScript
- Avoid unsafe DOM manipulation with untrusted data.
- Protect APIs with authentication, authorization, and rate limiting.
- Avoid dynamic code execution such as
eval().
Java
- Use prepared statements or ORM frameworks.
- Centralize security logic where possible.
- Rely on well‑maintained crypto and security libraries.
Python
- Use parameterized database queries.
- Be cautious with deserialization and reflection.
- Store secrets outside source code.
COBOL
- Validate all external inputs (files, MQ, APIs).
- Apply strong access controls to batch jobs and datasets.
- Pay close attention to integration boundaries.
Many vulnerabilities emerge at language and system boundaries.
Legacy platforms frequently inherit modern risks through integration layers.
OWASP Cheat Sheets
Additional Resources
- OWASP Top Ten
- OWASP Secure Coding Quick Reference
- Ameren Internal Secure Development & Threat Modeling Standards