**Chapter 12: Secure Coding Practices & Patterns**

## Introduction: The Last Line of Defense

While secure architecture and robust API design establish the perimeter of your application, the actual implementation—the lines of code written by developers—represents the final and most granular layer of security. A single misplaced string concatenation in a SQL query, an unescaped output in an HTML template, or an unchecked buffer size in a C program can render all your architectural security controls meaningless.

Secure coding is not about memorizing specific vulnerabilities; it is about adopting a defensive mindset where you assume all input is malicious, all external systems are compromised, and all internal failures are inevitable. This chapter provides language-agnostic principles supported by concrete implementations in Python, Java, C/C++, and JavaScript/TypeScript. We will follow the CWE (Common Weakness Enumeration) Top 25 and CERT Secure Coding Standards to ensure your code withstands both automated scanning and determined adversaries.

---

## 12.1 Input Validation and Output Encoding

Injection flaws remain the most dangerous and prevalent category of vulnerabilities. They occur when untrusted data is sent to an interpreter as part of a command or query. The defense is twofold: **validate on input** (ensuring data conforms to expectations) and **encode on output** (ensuring data cannot be interpreted as code).

### Input Validation Strategies

Validation must occur as early as possible, ideally at the application boundary (API layer), and should follow the **accept known good** (allowlist) approach rather than **reject known bad** (denylist).

**Validation Hierarchy:**
1. **Type validation** (is it an integer, string, boolean?)
2. **Range/Length validation** (is it within acceptable bounds?)
3. **Format validation** (does it match a regex pattern?)
4. **Business logic validation** (does it make sense in context?)

**Secure Validation Implementation (Python with Pydantic):**
```python
from pydantic import BaseModel, Field, EmailStr, validator
from typing import Optional
import re

class UserRegistration(BaseModel):
    """
    Strict input validation using Pydantic for Python APIs.
    Validation occurs automatically before business logic executes.
    """
    username: str = Field(
        ..., 
        min_length=3, 
        max_length=32,
        pattern=r'^[a-zA-Z0-9_]+$'  # Allowlist: alphanumeric and underscore only
    )
    email: EmailStr  # Built-in email validation
    age: int = Field(..., ge=13, le=120)  # Range validation
    bio: Optional[str] = Field(
        default=None, 
        max_length=500,
        pattern=r'^[\w\s\.\,\!\?\-]+$'  # Restrict special characters
    )
    role: str = Field(default="user")
    
    @validator('role')
    def prevent_privilege_escalation(cls, v):
        """
        Business logic validation: Prevent users from assigning themselves admin roles
        """
        forbidden_roles = ['admin', 'superuser', 'system']
        if v.lower() in forbidden_roles:
            raise ValueError('Invalid role specified')
        return v
    
    @validator('username')
    def prevent_reserved_names(cls, v):
        """
        Prevent username squatting on reserved system names
        """
        reserved = ['admin', 'root', 'system', 'api', 'www']
        if v.lower() in reserved:
            raise ValueError('Username reserved')
        return v

# Usage
try:
    user = UserRegistration(
        username="alice_smith",
        email="alice@example.com",
        age=25,
        bio="Software developer",
        role="admin"  # This will raise validation error
    )
except ValueError as e:
    # Log security event: Attempted privilege escalation
    logger.warning(f"Validation failed: {e}")
    raise
```

**Java Validation with Bean Validation (JSR 380):**
```java
import javax.validation.constraints.*;
import javax.validation.Valid;
import javax.validation.Validation;
import javax.validation.Validator;
import javax.validation.ValidatorFactory;
import javax.validation.ConstraintViolation;

public class UserInput {
    
    @NotNull(message = "Username cannot be null")
    @Size(min = 3, max = 32, message = "Username must be between 3 and 32 characters")
    @Pattern(regexp = "^[a-zA-Z0-9_]+$", message = "Username contains invalid characters")
    private String username;
    
    @NotNull
    @Email(message = "Invalid email format")
    private String email;
    
    @Min(value = 13, message = "Must be at least 13 years old")
    @Max(value = 120, message = "Invalid age")
    private int age;
    
    @Pattern(regexp = "^(user|moderator)$", message = "Invalid role")
    private String role = "user";
    
    // Getters and setters...
    
    public static void validateInput(UserInput input) {
        ValidatorFactory factory = Validation.buildDefaultValidatorFactory();
        Validator validator = factory.getValidator();
        
        Set<ConstraintViolation<UserInput>> violations = validator.validate(input);
        
        if (!violations.isEmpty()) {
            // Convert to security event log
            String errors = violations.stream()
                .map(v -> v.getPropertyPath() + ": " + v.getMessage())
                .collect(Collectors.joining(", "));
            
            throw new ValidationException("Input validation failed: " + errors);
        }
    }
}
```

### Output Encoding Contexts

Encoding must be **context-aware**. The same string requires different encoding depending on whether it appears in HTML, JavaScript, SQL, CSS, or a URL.

**Context-Specific Encoding (JavaScript/Node.js):**
```javascript
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');
const he = require('he'); // HTML entities

const window = new JSDOM('').window;
const DOMPurify = createDOMPurify(window);

function encodeForContext(input, context) {
    switch(context) {
        case 'html':
            // For HTML content, use DOMPurify for rich text or he for plain text
            return he.encode(input, { useNamedReferences: true });
            
        case 'html_attribute':
            // Encode quotes for attribute contexts
            return input
                .replace(/&/g, '&amp;')
                .replace(/"/g, '&quot;')
                .replace(/'/g, '&#39;');
                
        case 'javascript':
            // JSON.stringify safely escapes for JavaScript string contexts
            return JSON.stringify(input);
            
        case 'css':
            // Strict CSS encoding
            if (/[^a-zA-Z0-9\-_]/.test(input)) {
                throw new Error('Invalid CSS identifier');
            }
            return input;
            
        case 'url':
            // Encode for URL parameters
            return encodeURIComponent(input);
            
        default:
            throw new Error('Unknown encoding context');
    }
}

// Example usage
const userInput = '<script>alert("xss")</script>';

// HTML context
const safeHtml = encodeForContext(userInput, 'html');
// Result: &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;

// JavaScript context
const safeJs = encodeForContext(userInput, 'javascript');
// Result: "<script>alert(\"xss\")</script>" (safely quoted)
```

### SQL Injection Prevention

Never construct SQL queries using string concatenation. Always use **parameterized queries** (prepared statements).

**Vulnerable Code (Multiple Languages):**

```python
# Python - NEVER DO THIS
query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
cursor.execute(query)

# Java - NEVER DO THIS
String query = "SELECT * FROM users WHERE username = '" + username + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);
```

**Secure Implementation:**

```python
# Python with psycopg2 (PostgreSQL)
def authenticate_user(username, password):
    """
    Secure authentication using parameterized queries.
    The database driver handles all escaping automatically.
    """
    query = "SELECT id, password_hash FROM users WHERE username = %s AND active = true"
    
    # Parameters passed separately from query structure
    cursor.execute(query, (username,))
    user = cursor.fetchone()
    
    if user and bcrypt.checkpw(password.encode('utf-8'), user['password_hash']):
        return user['id']
    return None

# Python with SQLAlchemy ORM (Abstracts parameterization)
from sqlalchemy import select
from sqlalchemy.orm import Session

def get_user_secure(session: Session, user_id: int):
    """
    ORMs automatically parameterize queries.
    However, raw SQL in ORMs must still use bind parameters.
    """
    # Safe: ORM handles parameterization
    user = session.query(User).filter(User.id == user_id).first()
    
    # Also safe: Explicit parameterization
    stmt = select(User).where(User.id == user_id)
    user = session.execute(stmt).scalar_one_or_none()
    
    return user
```

```java
// Java with PreparedStatement
public User getUserById(int userId) throws SQLException {
    // Parameterized query - structure defined first, data bound later
    String sql = "SELECT id, username, email FROM users WHERE id = ? AND active = true";
    
    try (PreparedStatement pstmt = connection.prepareStatement(sql)) {
        // Type-safe binding prevents injection
        pstmt.setInt(1, userId);
        
        try (ResultSet rs = pstmt.executeQuery()) {
            if (rs.next()) {
                return mapResultSetToUser(rs);
            }
        }
    }
    return null;
}
```

```javascript
// Node.js with pg (PostgreSQL)
const { Pool } = require('pg');
const pool = new Pool();

async function getUserByEmail(email) {
    // $1 is placeholder for first parameter
    const query = {
        text: 'SELECT * FROM users WHERE email = $1 AND deleted_at IS NULL',
        values: [email],  // Array of values replaces placeholders
    };
    
    const result = await pool.query(query);
    return result.rows[0];
}
```

**Stored Procedures Caution:**
Stored procedures can prevent injection **only if** they don't construct dynamic SQL internally. If a stored procedure uses `EXEC()` or `eval()` with concatenated parameters, it is still vulnerable.

---

## 12.2 Memory-Safe Languages & Managing Memory Vulnerabilities

Memory safety bugs—buffer overflows, use-after-free, double-free—are responsible for approximately 70% of security vulnerabilities in systems software (Microsoft, Google security reports). Understanding these vulnerabilities is crucial whether you're writing C/C++ or reviewing code that interfaces with native libraries.

### Buffer Overflow Fundamentals

A buffer overflow occurs when a program writes beyond the allocated memory buffer, potentially overwriting adjacent memory including return addresses, function pointers, or metadata.

**Vulnerable C Code (Stack Overflow):**
```c
#include <stdio.h>
#include <string.h>

void vulnerable_function(char *user_input) {
    // Stack buffer: 64 bytes allocated
    char buffer[64];
    
    // DANGER: No bounds checking - strcpy copies until null byte
    strcpy(buffer, user_input);
    
    printf("Buffer contents: %s\n", buffer);
}

int main(int argc, char **argv) {
    if (argc > 1) {
        // If argv[1] > 64 bytes, stack corruption occurs
        vulnerable_function(argv[1]);
    }
    return 0;
}
```

**Exploitation Mechanics:**
1. Input of 64 bytes fills the buffer
2. Input of 72 bytes overwrites the saved frame pointer
3. Input of 80 bytes overwrites the return address
4. Attacker can redirect execution to shellcode

**Secure C Implementation:**
```c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define BUFFER_SIZE 64

void secure_function(const char *user_input) {
    char buffer[BUFFER_SIZE];
    
    // Safe: strncpy limits copy, but has null-termination issues
    strncpy(buffer, user_input, BUFFER_SIZE - 1);
    buffer[BUFFER_SIZE - 1] = '\0';  // Ensure null termination
    
    printf("Buffer contents: %s\n", buffer);
}

// Better approach: Explicit length checking
void safer_function(const char *user_input) {
    size_t input_len = strlen(user_input);
    
    if (input_len >= BUFFER_SIZE) {
        fprintf(stderr, "Error: Input too long (%zu bytes, max %d)\n", 
                input_len, BUFFER_SIZE - 1);
        return;
    }
    
    char buffer[BUFFER_SIZE];
    memcpy(buffer, user_input, input_len);
    buffer[input_len] = '\0';
    
    printf("Buffer contents: %s\n", buffer);
}

// Best practice: Use safer alternatives
void best_practice_function(const char *user_input) {
    char buffer[BUFFER_SIZE];
    
    // strlcpy is designed to be safe (BSD, not standard C99)
    // On Linux, use strncpy_s (C11) or implement safe copy
    #ifdef __STDC_LIB_EXT1__
        strncpy_s(buffer, sizeof(buffer), user_input, sizeof(buffer) - 1);
    #else
        // Manual safe copy
        size_t i;
        for (i = 0; i < sizeof(buffer) - 1 && user_input[i]; i++) {
            buffer[i] = user_input[i];
        }
        buffer[i] = '\0';
    #endif
    
    printf("Buffer contents: %s\n", buffer);
}
```

### Heap Exploitation and Use-After-Free

Heap vulnerabilities are more complex but equally dangerous, often used for modern exploitation when stack protections are enabled.

**Vulnerable C++ Code:**
```cpp
#include <iostream>
#include <cstring>

class UserData {
public:
    char name[64];
    void (*process_func)(const char*);
};

void privileged_function(const char* data) {
    std::cout << "Executing privileged operation with: " << data << std::endl;
}

void standard_function(const char* data) {
    std::cout << "Standard operation: " << data << std::endl;
}

int main() {
    UserData* user = new UserData();
    user->process_func = standard_function;
    strcpy(user->name, "Regular User");
    
    // ... later in code ...
    delete user;
    
    // Use-after-free: Dangling pointer used after deletion
    // Attacker might have reallocated this memory with controlled data
    user->process_func("malicious data");  // CRASH or arbitrary code execution
    
    return 0;
}
```

**Modern C++ Secure Alternatives:**
```cpp
#include <iostream>
#include <string>
#include <memory>
#include <vector>
#include <algorithm>

// Use smart pointers for automatic memory management
void secure_heap_usage() {
    // std::unique_ptr automatically frees memory when out of scope
    auto user = std::make_unique<UserData>();
    user->process_func = standard_function;
    
    // std::string handles memory safely
    std::string name = "Regular User";
    
    // No manual delete needed - memory freed automatically when function returns
    user->process_func(name.c_str());
}  // Memory freed here automatically

// For arrays, use std::vector instead of C arrays
void secure_array_handling() {
    std::vector<char> buffer(64);  // Safe, resizable, bounds-checked
    
    std::string input = get_user_input();
    
    // Prevent overflow
    size_t copy_len = std::min(input.size(), buffer.size() - 1);
    std::copy_n(input.begin(), copy_len, buffer.begin());
    buffer[copy_len] = '\0';
    
    std::cout << "Safe buffer: " << buffer.data() << std::endl;
}

// Use std::string for all string operations
void secure_string_operations() {
    std::string user_input = get_untrusted_input();
    
    // All operations are bounds-checked
    if (user_input.length() > 1000) {
        throw std::length_error("Input too long");
    }
    
    std::string processed = sanitize(user_input);
    // No buffer overflows possible
}
```

### Memory Safety in Rust

Rust provides memory safety without garbage collection through its ownership system.

```rust
// Rust prevents buffer overflows at compile time
fn process_input(input: &str) -> Result<String, Box<dyn std::error::Error>> {
    // String is dynamically sized but bounds-checked
    let mut buffer = String::with_capacity(64);
    
    // Truncate safely if too long
    if input.len() > 64 {
        buffer.push_str(&input[..64]);
    } else {
        buffer.push_str(input);
    }
    
    // Vector access is bounds-checked
    let data: Vec<u8> = vec![0; 100];
    match data.get(150) {  // Safe: returns None instead of crashing
        Some(val) => println!("Value: {}", val),
        None => println!("Index out of bounds"),
    }
    
    // Ownership prevents use-after-free
    let data = String::from("sensitive");
    let reference = &data;  // Borrow
    println!("{}", reference);
    // data is still valid here
    
    // Cannot use after move
    let moved = data;  // Ownership transferred
    // println!("{}", data);  // Compile error! data was moved
    
    Ok(buffer)
}
```

### Compiler Protections and Mitigations

When you must use C/C++, enable all available protections:

**GCC/Clang Security Flags:**
```bash
# Compile with extensive protections
gcc -o secure_app source.c \
    -fstack-protector-strong \    # Stack canaries
    -fstack-clash-protection \    # Stack clash protection
    -D_FORTIFY_SOURCE=2 \         # Buffer overflow detection
    -Wformat -Wformat-security \  # Format string warnings
    -fPIE -pie \                  # Position Independent Executable
    -Wl,-z,relro,-z,now \         # Full RELRO (GOT protection)
    -Wl,-z,noexecstack            # Non-executable stack
```

**Runtime Protections:**
- **ASLR** (Address Space Layout Randomization): Randomizes memory locations
- **DEP/NX** (Data Execution Prevention): Marks stack/heap as non-executable
- **Stack Canaries**: Detect stack buffer overflows before return
- **CFI** (Control-Flow Integrity): Ensures function calls go to valid targets

---

## 12.3 Secure Error Handling and Exception Management

Error handling is often overlooked in security architecture, yet it directly impacts availability (DoS resistance) and confidentiality (information disclosure).

### Fail-Safe Defaults

Systems should default to a secure state when errors occur.

**Insecure Fail-Open Pattern:**
```python
def check_access(user, resource):
    try:
        permission = db.query_permission(user.id, resource.id)
        return permission.granted  # If exception, returns None (falsy)
    except DatabaseError:
        # DANGER: Returns True on error - fail open!
        return True
```

**Secure Fail-Closed Pattern:**
```python
def check_access(user, resource):
    """
    Default deny: Any error results in access denied.
    """
    try:
        permission = db.query_permission(user.id, resource.id)
        return permission.granted if permission else False
    except DatabaseError as e:
        # Log security event for investigation
        logger.error(f"Access check failed for user {user.id}", exc_info=True)
        
        # Alert security team of potential availability attack
        security_monitor.alert({
            'type': 'access_control_failure',
            'user': user.id,
            'resource': resource.id,
            'error': str(e)
        })
        
        # Fail secure: Deny access when uncertain
        return False
```

### Exception Safety and Resource Management

In languages with exceptions, ensure resources are always released, even during error conditions (RAII - Resource Acquisition Is Initialization).

**Java Try-With-Resources (Secure):**
```java
public void processFile(String filename) throws IOException {
    // Automatically closes file even if exception occurs
    try (BufferedReader reader = new BufferedReader(new FileReader(filename))) {
        String line;
        while ((line = reader.readLine()) != null) {
            processLine(line);
        }
    } catch (FileNotFoundException e) {
        // Log but don't expose path structure
        logger.warn("File processing failed: {}", hashFilename(filename));
        throw new ProcessingException("Unable to process requested file");
    }
    // File closed automatically here, even if exception thrown
}
```

**Python Context Managers:**
```python
from contextlib import contextmanager
import tempfile
import os

@contextmanager
def secure_temp_file(suffix='.tmp'):
    """
    Context manager ensures temp file is securely deleted
    even if exceptions occur.
    """
    fd, path = tempfile.mkstemp(suffix=suffix)
    try:
        os.chmod(path, 0o600)  # Restrictive permissions immediately
        yield path
    finally:
        try:
            os.close(fd)
            os.unlink(path)  # Secure deletion
        except OSError:
            logger.error(f"Failed to cleanup temp file: {path}")

# Usage
with secure_temp_file() as temp_path:
    with open(temp_path, 'w') as f:
        f.write(sensitive_data)
    process_file(temp_path)
# File automatically deleted here, guaranteed
```

### Information Disclosure Prevention

Error messages must balance user assistance with security. Never expose:
- Stack traces to end users
- Database schema details
- Internal file paths
- System configuration details
- Specific versions of software (fingerprinting)

**Secure Error Handling Middleware (Node.js/Express):**
```javascript
class ApplicationError extends Error {
    constructor(message, statusCode = 500, isOperational = true) {
        super(message);
        this.statusCode = statusCode;
        this.isOperational = isOperational; // True for expected errors, false for bugs
        Error.captureStackTrace(this, this.constructor);
    }
}

// Operational errors: Invalid input, auth failures, not found
// Programmer errors: Null reference, undefined method, syntax errors

const errorHandler = (err, req, res, next) => {
    const requestId = req.id || uuid();
    
    if (err.isOperational) {
        // Known error type, safe to return details to client
        logger.info(`Operational error [${requestId}]: ${err.message}`);
        
        return res.status(err.statusCode).json({
            status: 'error',
            message: err.message,
            code: err.code || 'OPERATIONAL_ERROR',
            requestId: requestId
        });
    }
    
    // Programming error or unknown exception
    // Log full details for debugging
    logger.error(`Unexpected error [${requestId}]:`, {
        message: err.message,
        stack: err.stack,
        path: req.path,
        method: req.method,
        body: sanitizeLogBody(req.body)  // Remove passwords/pii from logs
    });
    
    // Send generic response to client
    res.status(500).json({
        status: 'error',
        message: 'An unexpected error occurred',
        requestId: requestId  // For support correlation without exposing internals
    });
};

// Usage in routes
app.get('/api/users/:id', async (req, res, next) => {
    try {
        const user = await User.findById(req.params.id);
        if (!user) {
            throw new ApplicationError('User not found', 404, true);
        }
        res.json(user);
    } catch (err) {
        next(err);  // Pass to error handler
    }
});
```

### Sensitive Data in Logging

**Never log:**
- Passwords
- API keys/Secrets
- Session tokens
- PII (Personally Identifiable Information): SSNs, credit cards, health records
- Encryption keys

**Log Sanitization (Python):**
```python
import copy
import re

SENSITIVE_PATTERNS = [
    (re.compile(r'password["\s:]+[^,"\s]+'), 'password": "[REDACTED]'),
    (re.compile(r'api_key["\s:]+[^,"\s]+'), 'api_key": "[REDACTED]'),
    (re.compile(r'credit_card["\s:]+[^,"\s]+'), 'credit_card": "[REDACTED]'),
    (re.compile(r'ssn["\s:]+[^,"\s]+'), 'ssn": "[REDACTED]'),
]

def sanitize_for_logging(obj):
    """
    Deep copy and sanitize object before logging.
    """
    if isinstance(obj, dict):
        sanitized = {}
        for key, value in obj.items():
            # Case-insensitive key check
            if any(secret in key.lower() for secret in ['password', 'secret', 'key', 'token', 'auth']):
                sanitized[key] = '[REDACTED]'
            else:
                sanitized[key] = sanitize_for_logging(value)
        return sanitized
    elif isinstance(obj, list):
        return [sanitize_for_logging(item) for item in obj]
    elif isinstance(obj, str):
        # Apply regex patterns for inline secrets
        result = obj
        for pattern, replacement in SENSITIVE_PATTERNS:
            result = pattern.sub(replacement, result)
        return result
    else:
        return obj

# Usage
user_input = {
    "username": "alice",
    "password": "SuperSecret123!",
    "profile": {
        "api_key": "sk_live_abcdef123456",
        "bio": "Hello world"
    }
}

logger.info("User registration attempt", extra={
    "data": sanitize_for_logging(user_input)
})
# Logs: {"username": "alice", "password": "[REDACTED]", "profile": {"api_key": "[REDACTED]", "bio": "Hello world"}}
```

---

## 12.4 Secure Configuration Management

Applications often run with excessive privileges or contain hardcoded secrets. Secure configuration follows the **12-Factor App** methodology and defense in depth.

### Secrets Management

**Anti-Patterns to Avoid:**
```python
# NEVER: Hardcoded credentials
DATABASE_PASSWORD = "SuperSecret123!"

# NEVER: Committed config files with secrets
config = {
    "api_key": "sk_live_actual_key_here",
    "private_key": "-----BEGIN RSA PRIVATE KEY-----\n..."
}

# NEVER: Environment variables for high-value secrets (visible in /proc, ps, debugging tools)
import os
api_key = os.environ['API_KEY']  # Better than hardcoded, but still exposed
```

**Secure Secrets Management Pattern:**

```python
from abc import ABC, abstractmethod
import os
from typing import Optional

class SecretProvider(ABC):
    """Abstract base for secret retrieval"""
    
    @abstractmethod
    def get_secret(self, key: str) -> Optional[str]:
        pass

class EnvironmentProvider(SecretProvider):
    """For development only - low security"""
    def get_secret(self, key: str) -> Optional[str]:
        return os.environ.get(key)

class AWS SecretsManagerProvider(SecretProvider):
    """Production-grade secret management"""
    def __init__(self, region_name='us-east-1'):
        import boto3
        self.client = boto3.client('secretsmanager', region_name=region_name)
    
    def get_secret(self, key: str) -> Optional[str]:
        try:
            response = self.client.get_secret_value(SecretId=key)
            return response['SecretString']
        except Exception as e:
            logger.error(f"Failed to retrieve secret {key}: {e}")
            return None

class HashiCorpVaultProvider(SecretProvider):
    """Enterprise secret management"""
    def __init__(self, vault_addr, role_id, secret_id):
        import hvac
        self.client = hvac.Client(url=vault_addr)
        self.client.auth.approle.login(
            role_id=role_id,
            secret_id=secret_id
        )
    
    def get_secret(self, path: str) -> Optional[str]:
        try:
            secret = self.client.secrets.kv.v2.read_secret_version(path=path)
            return secret['data']['data']
        except Exception as e:
            logger.error(f"Vault access failed: {e}")
            return None

# Usage with caching and rotation support
class SecureConfig:
    def __init__(self, provider: SecretProvider):
        self.provider = provider
        self._cache = {}
        self._cache_ttl = 300  # 5 minutes
        self._cache_times = {}
    
    def get(self, key: str, use_cache: bool = True) -> str:
        import time
        
        # Check cache
        if use_cache and key in self._cache:
            if time.time() - self._cache_times[key] < self._cache_ttl:
                return self._cache[key]
        
        # Fetch from provider
        value = self.provider.get_secret(key)
        if value is None:
            raise ConfigurationError(f"Required secret {key} not found")
        
        # Update cache
        self._cache[key] = value
        self._cache_times[key] = time.time()
        
        return value
    
    def clear_cache(self):
        """Clear sensitive data from memory"""
        import gc
        self._cache.clear()
        self._cache_times.clear()
        gc.collect()

# Dependency injection in application
def create_app():
    if os.environ.get('ENV') == 'production':
        provider = AWSSecretsManagerProvider()
    else:
        provider = EnvironmentProvider()
    
    config = SecureConfig(provider)
    
    app = Flask(__name__)
    app.config['DB_PASSWORD'] = config.get('db/password')
    return app
```

### Principle of Least Privilege

Applications should run with the minimum permissions necessary.

**Linux Capability Dropping (Python):**
```python
import os
import sys
import prctl  # python-prctl library

def drop_privileges():
    """
    Drop from root to unprivileged user after binding to privileged port.
    """
    if os.getuid() != 0:
        return  # Not running as root
    
    # Get target user
    import pwd
    nobody = pwd.getpwnam('nobody')
    
    # Remove all capabilities except binding to low ports (if needed)
    prctl.capbset.limit(prctl.CAP_NET_BIND_SERVICE)
    
    # Set supplementary groups
    os.setgroups([])
    
    # Switch to unprivileged user
    os.setgid(nobody.pw_gid)
    os.setuid(nobody.pw_uid)
    
    # Verify we cannot regain privileges
    os.setuid(0)  # This should fail
    if os.getuid() == 0:
        sys.exit("Failed to drop privileges")

# Usage
if __name__ == '__main__':
    # Bind to port 443 (requires root)
    server = create_server(port=443)
    
    # Immediately drop privileges
    drop_privileges()
    
    # Now running as 'nobody', even if exploited, limited damage
    server.run()
```

**Database Access Control:**
```sql
-- Create application-specific database user with minimal privileges
CREATE USER 'app_readonly'@'%' IDENTIFIED BY 'strong_random_password';

-- Grant only necessary permissions (no DROP, no DELETE on sensitive tables)
GRANT SELECT ON app_database.public_data TO 'app_readonly'@'%';
GRANT INSERT,UPDATE ON app_database.audit_log TO 'app_readonly'@'%';

-- Explicitly revoke dangerous permissions
REVOKE ALL PRIVILEGES ON *.* FROM 'app_readonly'@'%';
REVOKE SUPER, FILE, PROCESS ON *.* FROM 'app_readonly'@'%';

-- Application cannot:
-- - Drop tables
-- - Access other databases
-- - Read files from server (FILE privilege)
-- - See other users' processes
```

### Secure Defaults

Configure systems to be secure by default, requiring explicit action to reduce security.

```yaml
# Example secure configuration file (YAML)
application:
  security:
    # Encryption
    encryption:
      algorithm: AES-256-GCM  # Only secure algorithms
      key_rotation_days: 90
    
    # Session management
    sessions:
      cookie_secure: true      # HTTPS only
      cookie_httponly: true    # No JavaScript access
      cookie_samesite: Strict  # CSRF protection
      timeout_minutes: 30      # Short sessions
      sliding_refresh: false   # Require re-auth periodically
    
    # Input handling
    input:
      max_request_size: 10MB
      max_json_depth: 10       # Prevent stack exhaustion
      allowed_content_types:   # Allowlist approach
        - application/json
        - multipart/form-data
    
    # Error handling
    error_reporting:
      show_details: false      # Production: no stack traces
      log_level: INFO
    
    # Feature flags for dangerous operations
    features:
      allow_file_uploads: false        # Disabled by default
      allow_external_redirects: false  # Prevent open redirects
      debug_endpoints: false           # No debug info in prod
```

---

## 12.5 Code Review: Security-Focused Checklists and Static Analysis

Manual code review remains essential because automated tools cannot understand business logic vulnerabilities. However, SAST (Static Application Security Testing) tools catch common patterns at scale.

### Security Code Review Checklist

**Input Handling:**
- [ ] All inputs validated for type, length, format, and range?
- [ ] Allowlists used instead of denylists for validation?
- [ ] File uploads restricted by type, size, and scanned for malware?
- [ ] Path traversal prevented in file operations (e.g., `../` filtering)?

**Authentication & Authorization:**
- [ ] Passwords hashed with strong algorithms (Argon2, bcrypt, scrypt)?
- [ ] Session tokens generated with cryptographically secure RNG?
- [ ] Authorization checks on every request (including static files)?
- [ ] Privilege escalation prevented (users cannot modify their own role)?

**Data Protection:**
- [ ] Sensitive data encrypted at rest (AES-256)?
- [ ] TLS 1.2+ used for all network communication?
- [ ] Secrets not hardcoded; retrieved from secure vault?
- [ ] PII logged only when necessary and masked?

**Output & Injection:**
- [ ] Parameterized queries used for all database access?
- [ ] Output encoded based on context (HTML, JS, CSS, URL)?
- [ ] Content-Type headers set correctly to prevent MIME sniffing?
- [ ] User-supplied filenames sanitized before use?

**Error Handling:**
- [ ] Fail-closed behavior (deny access on error)?
- [ ] Stack traces hidden from users in production?
- [ ] Sensitive data excluded from logs?
- [ ] Resources freed in exception handlers (no resource leaks)?

**Concurrency:**
- [ ] Race conditions handled in financial/account operations?
- [ ] Thread-safe collections used in multi-threaded contexts?
- [ ] Deadlock prevention in database transactions?

### Static Analysis Integration

**Semgrep (Lightweight, fast):**
```yaml
# .semgrep.yml
rules:
  # Detect hardcoded secrets
  - id: hardcoded-api-key
    patterns:
      - pattern-regex: api[_-]?key\s*[=:]\s*['"][a-zA-Z0-9]{20,}['"]
    languages: [python, javascript, java]
    message: "Potential hardcoded API key detected"
    severity: ERROR
    
  # Detect SQL injection
  - id: sql-injection
    patterns:
      - pattern: |
          $QUERY = "..." + $X
          ...
          $CURSOR.execute($QUERY)
    languages: [python]
    message: "Possible SQL injection - use parameterized queries"
    severity: WARNING
```

**SonarQube Configuration:**
```properties
# sonar-project.properties
sonar.projectKey=secure-app
sonar.sources=src
sonar.exclusions=**/test/**,**/migrations/**

# Security rules
sonar.security.hotspots.level=HIGH
sonar.security.hardcodedCredentials=BLOCKER
sonar.security.sqlInjection=BLOCKER
sonar.security.xss=CRITICAL
```

**GitHub Actions Integration:**
```yaml
# .github/workflows/security-scan.yml
name: Security Scan

on: [push, pull_request]

jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run Semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          config: >-
            p/security-audit
            p/owasp-top-ten
            p/cwe-top-25
      
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      
      - name: Dependency Check (SCA)
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: 'my-app'
          path: '.'
          format: 'ALL'
```

### Manual Review Techniques

**Threat Modeling During Review:**
When reviewing code, ask:
1. **STRIDE analysis**: Can this code be Spoofed, Tampered with, Repudiated, subject to Information disclosure, Denial of service, or Elevation of privilege?
2. **Attack surface**: What inputs does this accept? Who can call it?
3. **Trust boundaries**: Does this code trust data from less privileged zones?

**Reviewing for TOCTOU (Time-of-Check to Time-of-Use):**
```c
// Vulnerable: Race condition
if (access(file, W_OK) == 0) {  // Check
    // Attacker changes file here (symlink attack)
    write_to_file(file, data);   // Use
}

// Secure: Atomic operations
int fd = open(file, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd != -1) {
    write(fd, data, len);  // Check and use are atomic
    close(fd);
}
```

---

## Summary and Transition to Chapter 13

In this chapter, we established that secure code is the foundation upon which all security architecture rests. You learned that **input validation** must be strict (allowlisting) and occur at trust boundaries, while **output encoding** must be context-aware to prevent injection attacks across SQL, HTML, JavaScript, and other interpreters. For systems programming, we explored **memory safety**—understanding that buffer overflows and use-after-free vulnerabilities require either memory-safe languages (Rust, Go) or rigorous safe coding practices in C/C++ with modern compiler protections enabled.

We examined **secure error handling** through the lens of fail-safe defaults: systems must deny access when uncertain, clean up resources even during exceptions, and never disclose sensitive debugging information to potential attackers. **Configuration management** revealed that secrets require specialized vaults (not environment variables or code repositories), applications must run with least privilege, and secure defaults prevent accidental exposure through misconfiguration.

Finally, we covered **security code review** as both an automated process (SAST tools integrated into CI/CD) and a manual discipline requiring checklists and threat modeling. Remember: tools catch syntax-level vulnerabilities, but only human review can identify business logic flaws and architectural weaknesses.

However, even perfectly secure code must run somewhere. Modern applications increasingly deploy to cloud-native environments—containers, Kubernetes, and serverless functions—that introduce new attack surfaces: container escape vulnerabilities, misconfigured cloud storage, vulnerable base images, and overly permissive IAM roles. The security of your code is meaningless if the infrastructure running it is compromised.

In **Chapter 13: Cloud-Native Security**, we will ascend from code to infrastructure, exploring how to secure containerized applications and orchestration platforms. You will learn to harden Docker images, implement Kubernetes network policies and Pod Security Standards, scan for vulnerabilities in supply chains, and apply the principle of least privilege to cloud IAM. We will bridge the gap between application security and infrastructure security, ensuring your code remains protected throughout its deployment lifecycle.