General Rules Of Thumb
- Set up an email (e.g. firstname.lastname@example.org) and a page for security researchers to report vulnerabilities.
- Depending on what you are making, limit access to your user databases.
- Be polite to bug reporters.
- Have your code review done by a fellow developer from a secure coding perspective. (More eyes)
- In case of a hack or data breach, check previous logs for data access, ask people to change passwords. You might require an audit by external agencies depending on where you are incorporated.
Set up Netflix’s Scumblr to hear about talks about your organization on social platforms and Google search.
Sanitization of Input
- Sanitize all user inputs or any input parameters exposed to the user to prevent XSS.
- Always use parameterized queries to prevent SQL Injection.
- Sanitize user input if using it directly for functionalities like CSV import.
- Sanitize user input for special cases like robots.txt as profile names in case you are using a URL pattern like coolcorp.io/username.
- Do not hand-code or build JSON by string concatenation ever, no matter how small the object is. Use your language defined libraries or framework.
- Sanitize inputs that take some sort of URLs to prevent SSRF.
- Sanitize Outputs before displaying to users.
- Sanitize all the things
If you access post data then use this$title = sanitize_text_field( $_POST[‘title’] );
update_post_meta( $post->ID, ‘title’, $title );
- Escape when you output
If you output the data to HTML you should use htmlspecialchars() else, if you’re storing the data in a database you should escape strings using mysqli_real_escape_string() and cast numbers (or use prepared statements for both) and protect identifiers/operators by whitelist-based filtering.