█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/Security Best Practices for Developers
45 minIntermediate

Security Best Practices for Developers

After this lesson, you will be able to: Apply the core secure-development principles that cut across every vulnerability class: defense in depth, least privilege, secure by default, input validation, secrets management, dependency auditing, and code review.

Individual fixes patch individual bugs. These principles prevent whole classes of them. This lesson collects the security best practices a professional developer applies on every project, the habits that make insecure code the exception rather than the default.

Prerequisites:Top Security Threats

The core principles

Defense in depth: layer controls so no single failure is fatal (WAF + input validation + parameterized queries + least-privilege DB user all guard against injection). Least privilege: every user, service, and credential gets the minimum access needed, nothing more (the Capital One IAM role should never have had broad S3 access). Secure by default: the safe configuration is the out-of-the-box one; security is opt-out, not opt-in. Fail securely: when something errors, deny rather than allow. These principles are why a single mistake does not become a breach.

Input validation and output encoding

Never trust input; encode for the context you output into.

tsx
// VALIDATE input against an allow-list (what's permitted), not a deny-list
const schema = z.object({
email: z.string().email(),
age: z.number().int().min(13).max(120),
role: z.enum(['student', 'tutor']), // only these are valid
});
const data = schema.parse(req.body); // reject anything else, fail closed
// ENCODE output for its destination context:
// - HTML body: HTML-encode (prevents XSS)
// - SQL: parameterized queries / prepared statements (prevents injection)
// - shell: avoid; if unavoidable, use arg arrays, never string concat
// Rule: validate on input, encode on output, and do both on the server.

Secrets management and dependency auditing

Two habits that prevent a large share of real breaches.

  1. 1

    Secrets: never hardcode API keys, passwords, or tokens in source or commit them to git.

  2. 2

    Load secrets from environment variables or a secrets manager (Vault, AWS Secrets Manager, cloud KMS).

  3. 3

    Rotate secrets regularly and immediately if one leaks; scan repos for committed secrets (git-secrets, truffleHog).

  4. 4

    Dependencies: run npm audit / pip-audit and enable Dependabot/Renovate so known CVEs surface automatically.

  5. 5

    Pin versions with lockfiles and remove unused dependencies (less code, fewer CVEs).

  6. 6

    Gate CI on High/Critical findings so a vulnerable dependency fails the build.

Code review for security (a checklist)

Security-focused review catches what scanners miss. On every pull request, ask: Is all user input validated and output encoded? Are database queries parameterized? Does every endpoint check authentication AND authorization (ownership + role)? Are secrets kept out of the code and logs? Are errors generic to the user and detailed only in server logs? Are new dependencies necessary and audited? Are security-relevant events logged? Treat a 'no' to any of these as a blocking comment, the same as a failing test.

Quick Check

What does 'defense in depth' mean, and why does it matter?

Pick the best answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Top Security Threats and the Frameworks That Map Them
Back to Application Security
Security Code Review→