The Secure Developer Quality

Being able to ask ‘the right’ questions is the best secure developer quality.
Receipt receipt = ReceiptService.Get(id); 
return receipt;
A short dialog between Jack the developer and his suspicious consciousness;Susp. Consciousness - Where does this parameter id come from? 
Jack - From the user...
Susp. Consciousness - Do we trust the user? Is he a privileged user?
Jack - No and no...
Susp. Consciousness - Can he, then, access others receipts?
Jack - Yes, so let's prevent.

Who can call this endpoint I open to the world?

Can user access any assets he does not own using this parameter?

Have I applied whitelist validation, as opposed to blacklist validation, to this parameter?

Am I mixing code and untrusted data without any validation in this piece of code?

Are my libraries up-to-date and have I read their security pages?

Do this API method I am calling or arguments I am using have secure versions or any security side effects?

Do I really need to get this parameter from the user?

Does this security related check that I am writing run on the client or the server side?

protected void doPost(HttpServletRequest ... ){   Part filePart = request.getPart("file");   String fileName = UploadedPath + getFilename(filePart);   InputStream fileContent = filePart.getInputStream();   OutputStream out = new FileOutputStream(fileName);
int read = 0;
byte[] bytes = new byte[1024]; while ((read = fileContent.read(bytes)) != -1) out.write(bytes, 0, read);}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store