o Following secure coding practices [SSDF PW 5.1] for web and mobile applications to
ensure that they properly validate user input and generate strong user IDs.
Use indirect reference maps, such that IDs, names, and keys are not exposed in
URLs. Replace them with cryptographically strong, random values—specifically use a
UUID or a GUID. Note: UUIDs and GUIDs should not be used for security capabilities.
See Request for Comment (RFC) 4122 for more information.
Configure applications to deny access by default and ensure the application
performs authentication and authorization checks for every request to modify data,
delete data, and access sensitive data. For example:
Normalize requests. There are many ways to encode and decode web inputs.
Decode and normalize inputs before creating access control checkpoints. Ensure
the access control system and other parts of the web application perform the same
normalization.
Implement parameter verification leveraging syntactic and logical validation,
such that web applications validate all inputs received with every HTTP/S request.
Denying invalid requests can reduce the burden on the access control system.
Syntactic validation verifies that for each input the incoming value meets your
applications’ expectations. When doing syntactic validation, verify that strings
are within the minimum and maximum length required, strings do not contain
unacceptable characters, numeric values are within the minimum and
maximum boundaries, and the input is of the proper data type.
Logical validation adds checks to see if the input values make sense and are
consistent with design intent. When doing logical validation, verify authorization
checks are performed in the correct locations, are of varying pedigree, and that
there is error handling of failed authentication and authorization requests.
Use CAPTCHA to limit automated invalid user requests where feasible.
Use memory-safe programming languages where possible.
o Testing code to identify vulnerabilities and verify compliance with security requirements
[SSDF PW 8.2].
Use automated testing tools to facilitate testing, fuzz testing tools to find issues with
input handling,[8] and penetration testing to simulate how a threat actor may exploit the
software. Consider using dynamic application security testing (DAST) tools to identify
IDOR vulnerabilities in web applications.
o Conducting role-based training [SSDF PO 2.2] for personnel responsible for secure
software development.
o Exercising due diligence when selecting third-party libraries or frameworks to
incorporate into your application [SSDF PW 4.1].
Review and evaluate third-party components in the context of their expected use.
Verify the integrity of the product through hash or signature verification.
If provided, review component’s Software Bill of Materials (SBOM) for outdated,
vulnerable, or unauthorized applications before using it.
Keep all third-party frameworks and dependencies up to date to limit vulnerability
inheritance. Note: Organizations should maintain an inventory or catalog of third-party