Skip to main content

Secure Coding Guidelines

Secure coding principles must be applied to all software development within the Osborn project to ensure code is written securely. These principles apply to the Django backend, the React frontend, and any related components.

For detailed, language-specific rules, please refer to the project's primary coding standards:

Foundation

Secure coding principles at Omnicom must have a foundation based on the latest OWASP Top 10 security risks. Development teams must monitor real-world threats and current advice to continually inform their secure coding practices.

Planning and Prerequisites

Before coding begins, the following must be addressed:

  • Secure Coding Principles: Use approved principles for both in-house and outsourced projects.
  • Vulnerability Awareness: Understand common coding practices that lead to security vulnerabilities.
  • Secure Environments: Configure development environments and tools (like IDEs) to enforce secure coding practices.
  • Library Management:
    • Maintain all third-party and open-source libraries, keeping them current using requirements.txt (Python) and package.json (Node.js).
    • Regularly scan dependencies for vulnerabilities using tools like safety or npm audit as part of the CI/CD pipeline.
    • Do not use libraries with known high and critical vulnerabilities.
  • SBOM: Maintain an up-to-date Software Bill of Materials (SBOM) to inventory all third-party and open-source libraries.
  • Threat Modeling: Incorporate threat modeling in the design phase, with special consideration for threats specific to Osborn's multi-tenant AWS architecture (e.g., data segregation, IAM policies).
  • Endpoint Security: Never use user endpoint devices (laptops, desktops) for any development beyond unit development and unit testing contained within that device. The device must be configured to block all inbound connections.

Considerations During Coding

During the coding process, developers should consider the following:

  • Language-Specific Practices: Adhere to the secure coding practices outlined in the project-specific standards for Python/Django and TypeScript/React.
  • Input Validation: Always validate and sanitize input from untrusted sources. For example, in the Django backend, use DRF serializers for robust validation: 
    # Example from backend/development-guidelines/best-practices.md
    class UserRegistrationSerializer(serializers.ModelSerializer):
        password = serializers.CharField(write_only=True, min_length=8)

        class Meta:
            model = User
            fields = ['email', 'username', 'password']

        def validate_email(self, value):
            if User.objects.filter(email=value).exists():
                raise serializers.ValidationError("Email already exists")
            return value.lower()
  • Insecure Design: Prohibit the use of insecure design techniques, such as hard-coded passwords or unauthenticated web services. All secrets must be managed via environment variables or a secrets manager.
  • SLSA Framework: Development teams should work toward establishing the Build L1 level of compliance with the Supply-chain Levels for Software Artifacts (SLSA) framework. More information can be found at slsa.dev.