Cybersecurity for Developers: Secure Your Code

Security Is Your Responsibility Too

Cybersecurity isn’t just for security teams. Every developer who writes code that touches user data, handles authentication, or connects to a network has a security responsibility.

The OWASP Top 10 (Simplified)

OWASP publishes the most critical web application security risks. Know these by heart.

1. SQL Injection

# Vulnerable
query = f"SELECT * FROM users WHERE email = '{email}'"

# Secure - parameterized queries
cursor.execute("SELECT * FROM users WHERE email = %s", (email,))

2. Cross-Site Scripting (XSS)

// Vulnerable - renders raw HTML
document.getElementById('output').innerHTML = userInput;

// Secure - encode output
document.getElementById('output').textContent = userInput;

3. Broken Authentication

import bcrypt

# Always hash passwords - never store plaintext
password = "user_password_123"
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt())

# Verify
is_valid = bcrypt.checkpw(password.encode(), hashed)

Secure HTTP Headers

# Express.js - use helmet middleware
const helmet = require('helmet');
app.use(helmet());

# This sets:
# Content-Security-Policy
# X-Frame-Options  
# X-XSS-Protection
# Strict-Transport-Security

JWT Security

const jwt = require('jsonwebtoken');

// Use strong secret (32+ characters)
const SECRET = process.env.JWT_SECRET;  // Never hardcode!

// Sign with expiration
const token = jwt.sign({ userId: user.id }, SECRET, { expiresIn: '1h' });

// Always verify
try {
    const payload = jwt.verify(token, SECRET);
} catch (err) {
    // Token invalid or expired
}

Security Checklist

• Never store plaintext passwords
• Validate and sanitize all user input
• Use HTTPS everywhere
• Store secrets in environment variables
• Keep dependencies updated
• Implement rate limiting
• Log security events
• Regular dependency audits (npm audit, pip-audit)