Code security is one of those things that we need to have regular reminders about. This reminder is for PHP, but several of the issues apply to any language – Survive The Deep End: PHP Security.
The “Basic Security Thinking” section has a good general list of principles:
- Trust nobody and nothing
- Assume a worse-case scenario
- Apply Defense-In-Depth
- Keep It Simple Stupid (KISS)
- Principle of Least Privilege
- Attackers can smell obscurity
- RTFM but never trust it
- If it wasn’t tested, it doesn’t work
- It’s always your fault!
Personally I’d replace “Attackers can smell obscurity” with “Never underestimate the amount of time or resources your attacker has”, but the overall list still gets you in the right frame of mind.
If you deal with PHP code the rest of the document is definitely worth the time to read.