This post is a restructured version of a lecture I attended at 42Seoul, reworked with the help of AI!
Secure Coding: A Summary of Key Practices for Safe Software Development
Protecting Personal and Sensitive Information Is a Must#
Personal information that can identify an individual, along with sensitive information (e.g., health, financial, identity data), can cause serious harm and legal liability if leaked.
Data must be encrypted, and access controls (offices, APIs, databases, etc.) should block unauthorized access from both insiders and outsiders.
The Importance of Digital and Social Forensics
Digital forensics: A general term for specialized scientific investigation techniques used to analyze digital evidence for investigations and to enhance the evidentiary capability of digital evidence.
When incidents like data leaks, tampering, or deletion occur, digital forensic techniques are used to secure evidence and support legal disputes or internal audits. Insider threats are also real -- like employees downloading databases and selling them on the dark web -- so access log recording and regular inspections are necessary.
Anonymization and Data Business
Converting personal information into anonymous data reduces legal risk but can lower data utility.
To increase data value while reducing legal concerns, you should keep only minimal identifying information and use a combination of techniques like encryption, anonymization, and pseudonymization.
AI Decision Response Rights and Automated Security#
We're in an era where AI automatically detects and responds to security threats. AI shows excellent results in anomaly detection, automated patching, and real-time threat blocking.
Users should have the right to demand explanations for AI-made decisions (explainability, AI decision response rights), so transparent management of logs and supporting data is needed.
Coding, Encryption, and Monitoring in Practice#
Sensitive information and session data must be encrypted.
Input validation (whitelist, allowlist) is needed to block malicious data.
Session cookies should not just be deleted -- server-side sessions in Redis or databases also need to be expired. Session expiration periods must comply with legal standards. Access controls must be applied to all pathways including offices, APIs, and databases.
-
Compliance with Standards Like OWASP:
Reference OWASP's secure coding checklist (input validation, authentication/authorization management, session management, encryption, logging, etc.) and reflect them in the development process -
Combining Regression Tests and Security Tests:
When adding new features, check that existing features still work correctly (regression testing) and verify no new security vulnerabilities have been introduced -
Whitelist Input Validation:
Clearly specify only the allowed range of user input values (whitelist) and block everything else
Be careful not to expose input rules in too much detail for sensitive information like passwords
Secure coding requires a comprehensive approach: personal/sensitive information protection, insider threat prevention, AI/automated security, encryption/access control, standards compliance, and testing systematization.
You must consider the balance between legal risk and data business, as well as new security requirements of the AI era.
Let me also cover secure coding that reflects practical experience and recent trends.
Vulnerability Management and Automation Tools
Static/dynamic analysis tools: Use automated security diagnostic tools like SAST (static analysis) and DAST (dynamic analysis) during development to find vulnerabilities early
Dependency management: Vulnerabilities in open source libraries and packages are frequent, so periodic inspection with SCA (Software Composition Analysis) tools is needed
Adopting DevSecOps
Integrating development, operations, and security: The DevSecOps culture of naturally embedding security into the development process is spreading. Security automation and checks should be built into every phase -- code writing, building, deployment, and operations
Log Management and Monitoring
Audit logs and real-time monitoring: All significant actions (login, data access, configuration changes, etc.) should be logged and monitored in real-time to detect anomalies immediately
Log preservation and tamper prevention: Logs should be safely stored for a set period, with encryption and integrity verification to prevent tampering
Vulnerability Response and Security Patches
Rapid patch application: When new vulnerabilities (CVEs, etc.) are discovered, establish procedures for rapid patch application and deployment
User Education and Security Awareness
Social engineering attack response: Technical security measures are important, but so is employee education on social engineering attacks like phishing and spear phishing
Raising security awareness: Continuous education is needed so developers and operators recognize the importance of security as part of their daily routine
Principle of Least Privilege
Minimum privilege assignment: All system and data access should be designed according to the Least Privilege principle, and unnecessary privileges should be revoked immediately
API Security
API Rate Limiting and authentication: APIs should be protected with authentication, authorization checks, rate limiting, and input validation
API Gateway usage: A centralized API Gateway should enable traffic control and threat detection
Cloud and SaaS Environment Security
Cloud-specific security: When using cloud services, additional security measures like access control, key management, and network isolation are needed
Diversifying Security Tests
Penetration testing: Regular penetration tests by external experts should be conducted to prepare for real attack scenarios
Legal and Regulatory Compliance
Compliance with domestic and international privacy laws, GDPR, etc.: Establish security policies and data processing guidelines that comply with the laws of the countries your service targets (e.g., GDPR, Personal Information Protection Act)
Security Engineering and Operational Quality Culture#
1. Principles of Security Engineering and Quality Culture
Security engineering is based on clear rules and systems.
Analyze each component of the system and data flows to identify vulnerabilities, manage risks by priority through threat modeling (STRIDE, etc.).
Various security controls (firewalls, encryption, access control, etc.) should be designed based on risk, with documented rationale and effectiveness for continuous evaluation and improvement.
When failures or issues occur, thoroughly document the cause and response process to prevent recurrence, and establish a culture of sharing this across the organization.
Sharing information transparently, like open source communities, helps the entire organization learn and improve quality.
Systematize documentation, sharing, and feedback loops so all members can actively participate in security and quality improvement. This reduces anxiety among internal members and forms the foundation for building trustworthy systems.
2. Performance Management and Rollback Strategy
If new code or features show degraded performance compared to before, the principle is to quickly rollback to a stable state.
Rollback is a critical strategy for quickly recovering systems during unexpected failures and should be integrated with automated CI/CD pipelines for rapid execution.
After rollback, monitor system normalization in real-time (system availability, performance metrics, error rates, etc.) and use log analysis tools to check for issue recurrence.
Clearly defining rollback criteria (critical errors, performance degradation, etc.) and role assignments (team lead, developers, operations, etc.) speeds up incident response.
Performance improvements must be justified with algorithm optimization, tuning, and measurable metrics (benchmarks, indicators). Iterative improvement and data-driven decision-making are needed.
3. Preventing Failure Recurrence and Organizational Culture
When failures occur, thoroughly document the root cause analysis and resolution process, and share them across the organization.
Prevent the same issues from recurring through repeated learning and improvement.
Documentation should not be mere records but a knowledge base that the entire organization can reference.
Use accessible systems (wikis, document repositories, etc.) where anyone can easily check and contribute.
Raise security awareness and response capabilities within the organization through security training and regular reviews and retrospectives.
Foster an environment where practitioners proactively share problems and propose improvements.
4. Server Health Checks and Log Management
You can use health check solutions like Varnish to periodically verify that servers are operating normally.
See Naver D2 Blog Article for reference.
Varnish periodically sends requests to backend servers to check response status, and marks servers as unhealthy after a certain number of failures. This enables early failure detection and automatic traffic rerouting.
For log management across different parts, use the ELK (Elasticsearch, Logstash, Kibana) stack.
Collect and process logs from various sources through Logstash, store them in Elasticsearch, and visualize/analyze with Kibana.
Logs should be structured (Structured Logging), categorized by level (DEBUG, INFO, WARN, ERROR, FATAL), and be careful not to include sensitive information.
Server setup automation uses tools like Chef, and Chef Automate logs should be managed in conjunction with systemd (journald). Log levels can be finely configured via TOML files.
Watch the little things; a small leak will sink a great ship.
— Benjamin Franklin
