Common Security Pitfalls in Software development

Are You Leaving Security Holes in Your Code?

Even the most experienced developers can make security mistakes that leave their applications vulnerable. Hard-coded secrets, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and outdated dependencies are just a few of the most common pitfalls developers fall into when writing software.

Security should never be an afterthought. Writing secure code isn't just about following best practices; it’s about proactively avoiding vulnerabilities that could put your application, data, and users at risk.

In this blog, we’ll break down 8 critical security mistakes developers often make and provide practical examples of how to avoid them. Whether you're building APIs, web applications, or enterprise software, these tips will help you write secure and maintainable code.

1. Hard-coded Secrets in Code

Mistake: Storing secrets like API keys, database credentials, or encryption keys directly in the code is one of the most dangerous mistakes you can make.

Solution: Use environment variables or a secrets management tool to securely store sensitive information.

package main

import (
	"fmt"
	"os"
)

func main() {
	apiKey := os.Getenv("API_KEY") // Retrieve API Key from environment variables
	if apiKey == "" {
		fmt.Println("API key is missing!")
	} else {
		fmt.Println("API key is securely retrieved!")
	}
}

Use tools like HashiCorp Vault or AWS Secrets Manager to manage secrets securely.

2. SQL Injection Vulnerabilities

Mistake: Writing raw SQL queries that are susceptible to SQL injection is one of the most common mistakes in web development.

Solution: Always use prepared statements or an ORM (Object-Relational Mapper) to safely interact with the database.

package main

import (
	"database/sql"
	"fmt"
	"log"
	_ "github.com/go-sql-driver/mysql"
)

func getUserById(db *sql.DB, userId int) (*User, error) {
	var user User
	query := "SELECT id, name, email FROM users WHERE id = ?"
	err := db.QueryRow(query, userId).Scan(&user.ID, &user.Name, &user.Email)
	if err != nil {
		return nil, err
	}
	return &user, nil
}

By using prepared statements, Go automatically escapes user input, preventing SQL injection attacks.

3. Cross-Site Scripting (XSS)

Mistake: Failing to sanitize user input in web applications, which allows malicious scripts to be injected into the browser and run on other users' sessions.

Solution: Always sanitize user input before rendering it in HTML. Use libraries to help with escaping content.

package main

import (
	"html"
	"net/http"
)

func handleRequest(w http.ResponseWriter, r *http.Request) {
	userInput := r.URL.Query().Get("message")
	// Escape the user input to prevent XSS attacks
	escapedInput := html.EscapeString(userInput)
	w.Write([]byte("<h1>" + escapedInput + "</h1>"))
}

This ensures that any user input will be displayed as plain text rather than executable HTML or JavaScript.

4. Cross-Site Request Forgery (CSRF)

Mistake: Failing to protect against CSRF, where an attacker forces an authenticated user to perform actions they didn’t intend to on a website.

Solution: Implement anti-CSRF tokens to ensure that requests made to the server are coming from an authenticated source.

package main

import (
	"fmt"
	"net/http"
	"golang.org/x/crypto/bcrypt"
)

func login(w http.ResponseWriter, r *http.Request) {
	// Generate CSRF token and add it to the session
	csrfToken := generateCSRFToken()
	// Send the token to the client
	w.Header().Set("X-CSRF-Token", csrfToken)
	// Validate token on form submission
}

func generateCSRFToken() string {
	// Generate a random token (for demonstration purposes)
	token := "secureRandomToken"
	hash, _ := bcrypt.GenerateFromPassword([]byte(token), bcrypt.DefaultCost)
	return string(hash)
}

Make sure you validate the CSRF token on the server-side to prevent unwanted actions from being triggered by external sources.

5. Improper Authentication and Authorization

Mistake: Using insecure methods of authentication (e.g., storing passwords in plaintext) or improper authorization controls that grant unauthorized users access.

Solution: Use secure authentication methods (JWT, OAuth2) and hash passwords using secure algorithms (e.g., Argon2, bcrypt).

package main

import (
	"fmt"
	"golang.org/x/crypto/bcrypt"
)

func hashPassword(password string) (string, error) {
	// Hash the password using bcrypt
	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
	if err != nil {
		return "", err
	}
	return string(hashedPassword), nil
}

func checkPasswordHash(password, hash string) bool {
	// Compare the hashed password with the provided password
	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
	return err == nil
}

func main() {
	password := "supersecret123"
	hash, _ := hashPassword(password)
	fmt.Println("Hashed Password: ", hash)
}

Always store passwords in a hashed format and use secure token-based authentication mechanisms.

6. Outdated Dependencies

Mistake: Using outdated dependencies can lead to vulnerabilities if known exploits are present in older versions of libraries.

Solution: Regularly update your dependencies and use tools like go get -u to ensure you're always using the latest versions of libraries.

go get -u github.com/gin-gonic/gin

Use Dependabot or similar tools to automate dependency updates and keep your application secure.

7. Insecure HTTP Headers

Mistake: Not setting HTTP security headers properly can leave your app vulnerable to attacks like Clickjacking, XSS, and content sniffing.

Solution: Implement HTTP headers like X-Content-Type-Options, Strict-Transport-Security, and X-Frame-Options to strengthen security.

package main

import (
	"fmt"
	"net/http"
)

func secureHeaders(w http.ResponseWriter, r *http.Request) {
	// Set security headers
	w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
	w.Header().Set("X-Content-Type-Options", "nosniff")
	w.Header().Set("X-Frame-Options", "DENY")
	w.Header().Set("Content-Security-Policy", "default-src 'self';")

	// Handle the request
	w.Write([]byte("Security Headers Set"))
}

func main() {
	http.HandleFunc("/", secureHeaders)
	fmt.Println("Server started at :8080")
	http.ListenAndServe(":8080", nil)
}

These headers protect against some of the most common attack vectors, such as clickjacking and cross-site scripting.

8. Lack of Logging and Monitoring

Mistake: Failing to log important events, errors, or suspicious activities, making it harder to detect breaches or vulnerabilities in your system.

Solution: Implement logging mechanisms and monitoring to keep track of user actions and potential threats.

package main

import (
	"log"
	"os"
)

func main() {
	// Open a log file for writing
	file, err := os.OpenFile("app.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0666)
	if err != nil {
		log.Fatal(err)
	}
	defer file.Close()

	// Set the log output to the file
	log.SetOutput(file)

	// Log an event
	log.Println("User logged in with username: admin")
}

Make sure to log all important events, such as authentication attempts, to quickly detect any suspicious activity.