Episode 475: Rey Bango on Secure Coding Veracode

Topics covered
Popular Clips
Episode Highlights
Input Validation
emphasizes the critical role of input validation in secure coding. He explains that relying solely on front-end validation is insufficient, as it can be easily bypassed, and stresses the importance of server-side validation to ensure data integrity 1. Bango highlights the effectiveness of whitelisting acceptable inputs and using Object-Relational Mappings (ORMs) to validate data types throughout the processing chain 2.
You want to make sure that somebody's not saying drop table. That'd be pretty bad.
---
He also warns about the potential for cross-site scripting attacks if inputs are not properly sanitized and encoded 1.
Logging
Logging plays a pivotal role in secure coding, but it must be handled with care to avoid exposing sensitive information. advises against revealing diagnostic codes and system details in logs, as they can be exploited by malicious actors 3. He shares an example of a security breach where excessive logging led to vulnerabilities being discovered by attackers 4.
I think it's important if you have an error, you handle it gracefully. And that exception log is clearly in the backend.
---
Bango suggests using backend logging mechanisms and secure channels like Jira tickets for developers to access error information without compromising security 3.
Secure Practices
Secure coding practices are essential for minimizing vulnerabilities in software development. discusses the importance of proactive measures such as sanitizing inputs, securing APIs, and integrating third-party systems securely 5. He stresses the need for developers to think about security early in the development process and to continuously evaluate their security posture even after deployment 5.
You have to sanitize inputs, you have to sanitize inputs.
---
Bango also highlights the risks of relying on third-party code without proper vetting and suggests using private package managers to ensure code integrity 6.
Related Episodes


Episode 441 Shipping Software - With Bugs
Answers 383 questions

Episode 514: Vandana Verma on the Owasp Top 10
Answers 383 questions

SE-Radio-Episode-309-Zane-Lackey-on-Application-Security
Answers 383 questions

Episode 482: Luke Hoban on Infrastructure as Code
Answers 383 questions

SE-Radio Episode 357: Adam Barr on Code Quality
Answers 383 questions

SE Radio 634: Jim Bugwadia on Kubernetes Policy as Code
Answers 383 questions

Episode 544: Ganesh Datta on DevOps vs Site Reliability Engineering
Answers 383 questions

SE-Radio Episode 288: DevSecOps
Answers 383 questions

SE-Radio Episode 350: Vivek Ravisankar on HackerRank
Answers 383 questions

Episode 535: Dan Lorenc on Supply Chain Attacks
Answers 383 questions
Episode 152: MISRA with Johan Bezem
Answers 383 questions

SE Radio 597: Coral Calero Muñoz and Félix García on Green Software
Answers 383 questions

SE-Radio Episode 276: Björn Rabenstein on Site Reliability Engineering
Answers 383 questions

Episode 59: Static Code Analysis
Answers 383 questions

SE-Radio Episode 314: Scott Piper on Cloud Security
Answers 383 questions













