# What you'll learn

After watching this video, you will be able to: 
* Describe code practices.
* Identify general code practices.
* Explain the input validation and scrubbing process.

# What are code practices?

* Code practices are part of the software development process for the development of secure software.
* Security is a major concern in the DevOps community because attackers target insecure code in the application layer.
* Implementing code practices is an important part of developing secure software.
* When implemented early in development, is cost-effective because correcting insecure code later in the software development process is expensive.
* Implementing code practices helps mitigate vulnerabilities and attacks.

# General code practices

There are some general code practices you should follow when developing software.
* Implement a secure software development lifecycle.
* Including security in the development lifecycle is cost-effective and ensures your application is as secure as it can be, right from the start.
* Establish secure coding standards.
* Following a set of secure coding standards establishes good habits.
* Build and use reusable object libraries for efficiency and to reduce risk.
* Develop with only tested and approved managed code.
* You should implement safe updating by focusing on exposed threats or source code that contains security-critical components.
* Attend training courses that focus on secure software development. They can increase your security awareness and strengthen your skills.

# Input Validation

Validating input means to check (on the server side), that the input provided by the user or attacker is what you expect it to be.

**What should you validate?**

* Any input data you use that a hacker can manipulate.
* Check your input data for: 
    * Expected data types.
    * Data range, and data length.
    * Allowed characters against a "white" list.
* If the input data isn’t the right type, it should be rejected.
* Any data coming from untrusted sources should also be validated.
* Reduce any additional risk by developing untrusted and hardened systems only.

# Input Scrubbing

* Whitelist validation should always be performed for allowed characters.
* Scrubber removes any malicious characters if entered as input data.
* Malicious characters may include the following: **`<>>"'%()&+\\'\"`** anything that the attacker can use to make your application do something it wasn’t intended to do.
* If any of these malicious characters are actually allowed as valid input, you should implement additional controls such as:
    * output encoding, 
    * securing task-specific APIs, and 
    * accounting for all data input throughout an entire application.

# Output encoding

* Output encoding is the translation of input code to safe output code.
* Implement a policy and practice for each type of outbound encoding used.
* You should encode all characters unless any are unsafe for the interpreter.
* Sanitize all output of untrusted queries such as SQL, XML, and LDAP.
* Also, sanitize all untrusted data output to local operating system commands.

# Error handling & logging

* Improper error handling can expose a variety of security risks for an application.
* Error messages containing too much detail provide attackers with valuable clues about potential flaws they can exploit.
* The goal should be to:
    * provide meaningful error messages to the user, 
    * provide diagnostic information for troubleshooting, and 
    * provide no useful information to an attacker.
* Use custom error pages and generic messages for error handling and logging.
* Release allocated memory when any error conditions occur to avoid corruption.
* Implement access restrictions to logs to keep attackers out.
* You should also log any types of tampering events and failures such as:
    * input,
    * authentication attempts, and 
    * access control.

# Summary

In this video, you learned that: 
* Security is a concern in the DevOps community, and attackers target insecure code in the Application layer.
* Code practices are part of secure software development that helps mitigate vulnerabilities and attacks.
* Including security early in the development process saves money because it’s more costly to fix security issues later in the process.
* Using trusted code and developing on trusted, hardened systems reduces risk (or attack surface).
* Validate data input and sanitize the output of untrusted queries.
* Provide meaningful error messages for users, diagnostic logging for troubleshooting, and make sure your messaging provides nothing useful to attackers.
* Training courses focusing on secure software development can help raise awareness and strengthen skills.
