### Week 10: Secure Coding Practices

Review Resources:
- Read the OWASP Secure Coding Practices. Focus on the top practices, especially those related to input validation and handling secrets.

- Go through the Python tutorials on using environment variables (e.g., the os or dotenv library) and secure database connection practices (which will lead you to parameterized queries).

Targeted Learning:

- Focus your study on the two main vulnerabilities mentioned: SQL Injection and Cross-Site Scripting (XSS). Understand how they work and why secure coding practices prevent them.

#### Task 1: Environment Variables for Secrets
Goal: Eliminate hard-coded secrets.

Action:

Identify any sensitive data (e.g., database credentials, external API keys) in your Week 9 API endpoint.

Install a library like python-dotenv or plan to use the built-in os.environ to read environment variables.

Replace the hard-coded secrets with calls to read from the environment (e.g., os.environ.get('API_KEY')).

Create a .env file (and add it to your .gitignore) to store the actual key/secret for local testing.

#### Task 2: Parameterized Queries
Goal: Demonstrate protection against SQL injection.

Action:

Write a simple script using an SQLite database (or similar).

Insecure Example: Write a function that builds a query string by concatenating a user-provided variable directly (e.g., f"SELECT * FROM users WHERE id = '{user_input}'").

Secure Example: Write a second function that uses the database library's built-in parameterized query feature (using placeholders like ? or %s) to separate the SQL command from the user data.

Demonstrate: Show how a malicious input like ' OR '1'='1 works in the insecure query but fails harmlessly in the parameterized one.

#### Task 3: Input Validation and Sanitization
Goal: Securely prepare input for use by a function or model.

Action:

Write a short Python function, say process_user_score(score), that expects a number.

Validation: Check that the input:

Is a number/can be converted to an integer.

Falls within an expected range (e.g., 0 to 100).

Sanitization: If dealing with text, use a library or simple regex to remove potentially malicious characters (like <, >, &, or script tags) that could lead to XSS if displayed later. Since the task is for a model, focus on ensuring the data type and range are correct.

---

# OWASP Secure Coding Practices

https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf


The goal of software security is to maintain the confidentiality, integrity, and availability of information
resources in order to enable successful business operations. This goal is accomplished through the
implementation of security controls.

Risk is a combination of factors that threaten the success of the
business. This can be described conceptually as follows: a threat agent interacts with a system, which may
have a vulnerability that can be exploited in order to cause an impact.

There is a fundamental difference between the approach taken by a development team and that taken by someone attacking an application. 
- A development team typically approaches an application based on what it is intended to do. In other words, they are designing an application to perform specific tasks based on documented functional requirements and use cases. 
- An attacker, on the other hand, is more interested in what an application can be made to do and operates on the principle that "any action not specifically
denied, is allowed". To address this, some additional elements need to be integrated into the early stages of the software lifecycle. These new elements are security requirements and abuse cases.

Software security flaws can be introduced at any stage of the software development lifecycle, including:
- Not identifying security requirements up front
- Creating conceptual designs that have logic errors
- Using poor coding practices that introduce technical vulnerabilities
- Deploying the software improperly
- Introducing flaws during maintenance or updating


Depending on the nature of the software, the vulnerability and the supporting infrastructure, the impacts of a successful exploitation can include compromises to any or all of the following:
- The software and its associated information
- The operating systems of the associated servers
- The backend database
- Other applications in a shared environment
- The user's system
- Other software that the user interacts with


Secure Coding Practices Checklist

Note, this will be just a gist of the checklist. You can check the checklist in reference guide if you need the actuals.
1. Input Validation
    - Validate all possible inputs be it known malicious inputs or proper inputs
    - Validate if potentially hazardous characters are allowed as input
    - Validate input validation to see how it reacts on certain inputs
    - Utilize canonicalization to address double encoding or other obfuscation attacks
    - Verify character sets and specify which character sets are only allowed in the validation
    - Validate the expected data types and lengths of each as well as the white list of allowed charracters
    - All sources are to be classified into trusted and untrusted. All untrusted are to be validated further
    - Data validation should only be in the system
    - Failures in validation should result to input rejection to block inputs
2. Output Encoding
    - All encoding is to be done in the system only
    - Tested routines should be utilized for each type of output/outbound encoding
    - Ensure output is sanitized and outputted in a way that is safe for the intended recipient
3. Authentication and Password Management
    - All pages and resources must required authentication unless intended to be public
    - All authentication controls must be enforced on a trusted stystem
    - Only use tested authentication services when possible 
    - Better if implementation is centralized, including external authentication services
    - Fail-secure should be implemented here
    - Implement password hashing
    - All functions should be as secure as the primary authentication mechanism
    - Credential stores should be secure and not accessible by other applications apart from its own
    - Validation is to be done once the input is completed
    - Authentication failure should not say which it failed on, rather it should indicate failure on all inputs regardless of where it failed
    - Any external connections shall require authentication
    - HTTP POST requests are to be used to transmit authentication credentials
    - Non-temporary passwords should only be sent if encypted so connections, data, or email
    - Enforce password complexity requirements and legnth requirements by policy or regulation
    - Password entry should be obscured 
    - Disable account or penalize if there are multiple invalid login attempts to discourage brute force guessing of credentials but not to much to prevent denial of service
    - Password reset/changing operations should be as secure as account creation and authentication
    - Reset questions should not be common to yield common answers as well
    - Email based resets should only send to pre-registered emails and temporary links/passwords are only sent in said emails. These temporary items should also have short expiration time
    - Temporary password should also be changed
    - Notify if password reset happens and prevent password reuse. Passwords should also be at least a day old to prevent attacks on reuse and to avoid frequent changing
    - Disable remember me
    - Report the last login time to the user at the next successful login 
    - Use Multi-Factor Authentication and re-authenticate when doing critical operations
    - Monitor passwords and users to check if there is a possible exploit or possible attack patterns
    - Inspect third party code for authentication to avoid malicious codes
4. Session Management
    - Use the server or framework’s session management controls. The application should only recognize these session identifiers as valid
    - Session identifier creation must always be done on a trusted system
    - Logout functionality should be available and fully terminate all sessions or connections
    - Establish a timeout on sessions that is short but balancing risk and business functional requirements
    - Disable persistent logins and enforce periodic session terminations even if sessions are active
    - If a session was established before login, close that session and establish a new session after a successful login and generate a new session identifier on any re-authentication
    - Do not allow concurrent logins with the same user ID
    - Do not expose session identifiers
    - Protect server side session data from unauthorized access by other users of the server
    - Periodically deactivate old session when generating new sessions
    -  Generate a new session identifier if the connection security changes from HTTP to HTTPS, as it can occur during authentication. Within an application, it is recommended to consistently utilize HTTPS rather than switching between HTTP to HTTPS.
    - Supplement standard session amangement using per-session stron random tokens or parameters
    - Set the "secure" attribute for cookies transmitted over an TLS connection. Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value
5. Access Control
    - Use only trusted system objects, e.g. server side session objects, for making access authorization decisions
    - Use a single site-wide component to check access authorization. This includes libraries that call external authorization services
    - Fail secure should be implemented on all controls and deny access if it cannot confirm security configuration information
    - Enforce authorization controls on every request
    - Segregate privileged logic from other application code
    - Restrict all types of access or items to only its authorized users
    - Server side implementation and presentation layer representations of access control rules must match
    - Use encryption and integrity checking on the server side to catch state tampering
    - Limit the number of transactions a single user or device can perform in a given period of time
    - Implement account auditing and enforce the disabling of unused accounts
    - Periodically revalidate authorization if long sessions of authentication are allowed
    - The application must support disabling of accounts and terminating sessions when authorization ceases
    - Service accounts or accounts supporting connections to or from external systems should have the least privilege possible
    - Create an Access Control Policy to document an application's business rules, data types and access authorization criteria and/or processes so that access can be properly provisioned and controlled. This includes identifying access requirements for both the data and system resources
6. Cryptographic Practices
    - All cryptographic functions used to protect secrets from the application user must be implemented on a trusted system (e.g., The server)
    - Protect master secrets from unauthorized access
    - Cryptographic modules should fail securely
    - All random numbers, random file names, random GUIDs, and random strings should be generated using the cryptographic module’s approved random number generator when these random values are intended to be un-guessable
    - Cryptographic modules used by the application should be compliant to FIPS 140-2 or an equivalent standard. (See http://csrc.nist.gov/groups/STM/cmvp/validation.html)
    - Establish and utilize a policy and process for how cryptographic keys will be managed