CT-534 Software Quality Assurance

NED UNIVERSITY OF ENGINEERING

&TECHNOLOGY

Assignment II

Name: Muhammad Maaz Mohiuddin

Roll No: CT-052/2023-24

Department of Computer Science & IT MS (CSIT)

Secure Coding Practices for Programming Languages and Databases

a. Programming Languages: ASP.Net, Java, and any other programming language you are currently
working on (e.g., JavaScript)

1. ASP.Net:

• Input Validation:

1. To stop injection attacks (such as SQL Injection and Cross-Site Scripting), always validate user
inputs.
2. To enforce validation rules, use validation attributes and data annotations.
3. Encrypt output to guard against cross-site scripting threats. Utilize the AntiXSS library for output
encoding.

• Authentication and Authorization:

1. For strong authentication and authorization, use ASP.NET Identity.

2. Role-based access control (RBAC) should be used to govern user permissions.

Error Handling:

1. To report errors and display error messages that are easy to understand, implement global error
handling.
2. Steer clear of disclosing sensitive information or stack traces in error messages.
3. HttpOnly and Secure flagged secure cookies should be used for session management.
4. Put in place appropriate invalidation and session timeout mechanisms.

Data Protection:

1. To safeguard sensitive data, use the ASP.NET Core Data Protection API.
2. When sensitive data is in transit, use HTTPS; when it's at rest, use strong encryption

2. Java:

Error Resolution:

1. Under production contexts, log errors without disclosing important information.

2. To manage exceptions, use unique error pages and message systems.

Management of Sessions:

1. Make use of HttpOnly and Secure flags when using secure session cookies.
2. Put invalidation and session timeout procedures in place.
Data Security:

1. For both encryption and decryption, use Java Cryptography Architecture (JCA).
2. Use robust encryption to protect data at rest and SSL/TLS to secure data in transit.

Handling Dependencies:

1. Update all frameworks and libraries on a regular basis to reduce vulnerabilities.

2. To find and fix security flaws in dependencies, use programs like OWASP Dependency-Check.

3. JavaScript (Node.js):

Error Resolution:

1. Under production contexts, log errors without disclosing important information.

2. To manage exceptions, use unique error pages and message systems.

Management of Sessions:

1. Make use of HttpOnly and Secure flags when using secure session cookies.
2. Put invalidation and session timeout procedures in place.

Data Security:

1. For both encryption and decryption, use Java Cryptography Architecture (JCA).
2. Use robust encryption to protect data at rest and SSL/TLS to secure data in transit.

Handling Dependencies:

1. Update all frameworks and libraries on a regular basis to reduce vulnerabilities.

2. To find and fix security flaws in dependencies, use programs like OWASP Dependency-Check.

Validation of Input:

1. Sanitize and validate all inputs with libraries such as joi or express-validator.
2. Steer clear of eval() and other risky functions.

Encoding of Output:

1. To stop XSS attacks, encode output using libraries such as DOMPurify.

2. Before rendering user-generated content, sanitize it.
Verification and Permission:

1. Use Passport.js with safe authentication methods like JSON Web Tokens (JWT).
2. Enable role-based access control and use bcrypt to encrypt password storage.

Error Resolution:

1. To securely record and capture mistakes, use centralized error handling.

2. Steer clear of disclosing private information and stack traces in error answers.

Management of Sessions:

1. Make use of HttpOnly and Secure flags when using secure session cookies.
2. Establish appropriate protocols for session timeouts and expirations.

Data Security:

1. For the encryption and decryption of sensitive data, use the Node.js crypto module.
2. Make that data encryption in transit is done over HTTPS.

b. Databases: Oracle Safe Setup

Management of Access

1. Assemble a minimal set of permissions for users and roles in accordance with the idea of least
privilege.
2. To manage access and enforce security regulations, use Oracle Database Vault.

The use of encryption

1. To encrypt sensitive data while it's at rest, use transparent data encryption, or TDE.
2. Be sure SSL/TLS is being used to encrypt data while it is in transit.

Monitoring and Auditing:

1. Using Oracle Audit Vault, enable auditing to keep an eye on and record database activity.
2. Examine logs on a regular basis to look for possible security events and unusual activity.
Validation of Input

1. To stop SQL injection attacks, use parameterized queries and bind variables.
2. Before engaging with the database, ensure that inputs have been verified and cleaned at the
application level.

Security Backup

1. Backups should be encrypted to prevent unwanted access to data.

2. Backups should be kept in places with restricted access and security.

Guidelines for Security

1. Oracle Advanced Security features can be used to implement and enforce security policies.
2. Review and update security procedures often to keep up with emerging risks.

Management of Users:

1. Make use of multi-factor authentication (MFA) and other robust authentication techniques.
2. Review and update user permissions and roles on a regular basis to ensure they meet business
needs.