Show Menu

The Top 12 Practices of Secure Coding Cheat Sheet by

The Top 12 Practices of Secure Coding
programming     software     coding     security     best     practices


Developing and managing software is no easy feat. Consider that an operating system can contain over 50 million lines of code. To help developers rise to the software security challenge, enter OWASP, the Open Web Applic­ation Security Project. Comprised of thousands of super-­smart partic­ipants collab­orating globally, OWASP provides free resources “dedicated to enabling organi­zations to conceive, develop, acquire, operate and maintain applic­ations that can be trusted.”

It might make good sense then, when evaluating your (or your vendor’s) program, to begin by measuring it against OWASP’s Software Assurance Maturity Model. The below list provides a quick summary of the top 12 security practices to mitigate risks from internal and third-­party software. How many boxes does your program check?


1. Strategy and Metrics: Establish a unified security roadmap, set corporate risk tolerance and align expenses with asset value.
2. Education and Guidance: Provide role-s­pecific secure software develo­pment lifecycle training.
3. Policy and Compli­ance: Understand compliance drivers, create compliance gates and collect the right types of data to enable audit.


4. Threat Assess­ment: Identify, evaluate and mitigate applic­ati­on-­spe­cific threats.
5. Security Requir­eme­nts: Specify necessary security controls, including within supplier agreem­ents, and audit those controls.
6. Secure Archit­ect­ure: Adopt software develo­pment framew­orks, identify secure design patterns and embed secure­-by­-de­fault princi­ples.


7. Design Review: Assess software design against a compre­hensive set of best practices.
8. Implem­ent­ati­on: Integrate automated code analysis tools into develo­pment processes, customize code review for langua­ge-­level risks and for applic­ati­on-­spe­cific vulner­abi­lities.
9 Security Testing: Require human penetr­ation testing and automate applic­ati­on-­spe­cific testing throughout the develo­pment process and, signif­ica­ntly, before deploy­ment.

How to Develop and Review Code Security


10. Issue Manage­ment: Create a vulner­ability response team, implement a security issues disclosure process (consider a bug bounty program), conduct root cause analysis and collect per-issue metrics.
11. Enviro­nment Harden­ing: Install critical upgrades and patches, monitor config­ura­tions, deploy network protection tools.
12. Operat­ional Enable­ment: Facilitate commun­ica­tions between develo­pment teams and operators, capture critical security inform­ation, maintain formal procedures for issuing alerts, create per-re­lease change management procedures and perform code signing.

Download the The Top 12 Practices of Secure Coding Cheat Sheet

1 Page

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!



No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Object-Oriented Design Principles Cheat Sheet
          C Reference Cheat Sheet

          More Cheat Sheets by Davidpol