Secure Coding

Question 1

Solution for SQL Injection

Answer 1

Solution
* Limit input size
* Remove special character
* Remove reserved keywords
* Check the desired pattern

Question 2

Solution for XML injection

Answer 2

• Limit inputs
• Check it has the pattern that you want
• Never work on or log unvalidated inputs (string, path,…)

Question 3

Numbers
Overflow

Answer 3

The built-in integer operators in Java secretly wrap the result without
reporting overflow when a mathematical operation cannot be represented
using the provided integer types.

Question 4

Solution for Number Overflow

Answer 4

Solutions:
* Upcasting: Consider a larger data type if possible
* Prediction testing: Find the boundaries, throw ArithmaticException when needed.
* BigIntger: Convert the inputs into objects of type BigInteger

Question 5

Numbers
Precision

Answer 5

Solution:
* Use integer
* Use BigDecimal

Question 6

Methods

Answer 6

Validate input parameters
* Might be costly
* Avoid inconsistent computation, runtime exceptions

Assertion
- test your assumptions about your program

Accessibility
* Method that check security should be private or final.

Question 7

Defensive Programming

Answer 7

Minimise the scope of variables

Minimise the accessibility of classes

Wrapper methods
* Use private modifiers when it is possible

Question 8

Conclusive Secure Coding

Answer 8

• Do not trust inputs from users
• Take extra consideration when dealing with sensitive information
• Do not save them in local (log)
• Save them encoded when possible
• Be aware of scopes
• Limit modifier as much as possible
• Limit the scope of each variable
• Be aware of bitwise operations and overflow