Computer Science Grade 10 20 min

Secure Coding Practices

Secure Coding Practices

Tutorial Preview

1

Introduction & Learning Objectives

Learning Objectives Identify common vulnerabilities like SQL Injection in code snippets. Explain the difference between input validation and input sanitization. Implement parameterized queries (prepared statements) to prevent SQL Injection in a database application. Apply the Principle of Least Privilege when designing a simple user role system. Differentiate between authentication and authorization in a real-world context. Write code that handles errors securely without exposing sensitive system information. Ever wondered how a simple comment on a website could potentially take the whole site down? 💻💥 Let's learn how to build digital fortresses, not glass houses. Writing code that works is the first step, but writing code that is safe and secure is what makes a prof...
2

Key Concepts & Vocabulary

TermDefinitionExample Input ValidationThe process of checking if data provided by a user or another program meets certain requirements before it is processed. It ensures the data is in the correct format, type, and range.A registration form checks if a user-provided email address contains an '@' symbol and a '.' It also checks if the password is at least 8 characters long. If not, it rejects the input. Input SanitizationThe process of cleaning or filtering user input to remove or neutralize potentially malicious characters or code. This is done after validation to make the data safe to use.A user posts a comment with `<script>alert('hacked')</script>`. Sanitization would convert the characters `<` and `>` into `<` and `>`, so t...
3

Core Syntax & Patterns

The 'Never Trust User Input' Rule All data originating from an external source must be treated as potentially hostile. It must be validated and/or sanitized before being used in your application. Apply this rule to any data your program receives that you didn't create yourself. This includes form inputs, URL parameters, file uploads, and data from other APIs. Always check it on the server-side, even if you have client-side checks. Parameterized Query Pattern 1. Define the SQL query with placeholders (e.g., ?, :name). 2. Prepare the statement with the database driver. 3. Bind the user-supplied variables to the placeholders. 4. Execute the query. Use this pattern whenever your SQL query needs to include data that came from a user. This separates the logic (the S...

4 more steps in this tutorial

Sign up free to access the complete tutorial with worked examples and practice.

Sign Up Free to Continue

Sample Practice Questions

Challenging
A developer is designing a login system. To be 'helpful', the system responds with 'Username not found' if the username doesn't exist, and 'Incorrect password' if the username exists but the password is wrong. Why is this a security flaw?
A.It violates the Principle of Least Privilege by giving the user too much information.
B.It allows for 'user enumeration', where an attacker can use the different messages to build a list of valid usernames.
C.It is vulnerable to SQL Injection because it checks the username and password separately.
D.It is a failure of authentication because it should use a more secure method like two-factor authentication.
Challenging
You are securing a blog comment system. The requirements are: comments must be under 500 characters, and users should be allowed to use `<b>` (bold) and `<i>` (italic) tags, but no other HTML like `<script>` or `<img>`. Which implementation is the most secure?
A.First, sanitize the input by removing all HTML tags. Then, validate the length to be under 500 characters.
B.First, validate the length is under 500 characters. Then, sanitize the input by removing all HTML tags.
C.First, validate the length is under 500 characters. Then, use a sanitization library that allows a specific 'whitelist' of tags (`<b>`, `<i>`) and strips all others.
D.Rely on client-side JavaScript to validate the length and strip forbidden tags before submitting the comment.
Challenging
A web application allows users to view their profile at a URL like `/profile/view?id=123`. A user discovers they can change the URL to `/profile/view?id=124` and see another user's private information. This vulnerability is primarily a failure of what?
A.Input Sanitization, because the 'id' parameter was not cleaned.
B.Authentication, because the user should have been logged out.
C.Authorization, because the server did not check if the logged-in user had permission to view profile 124.
D.Secure Error Handling, because an error should have been displayed.

Want to practice and check your answers?

Sign up to access all questions with instant feedback, explanations, and progress tracking.

Start Practicing Free

More from Cybersecurity Practicum

Penetration Testing Intro Security Auditing Risk Assessment Compliance Standards

Ready to find your learning gaps?

Take a free diagnostic test and get a personalized learning plan in minutes.

Free Diagnostic Test Sign Up Free