Security Standards

Priority: P0 (CRITICAL)

🛡 Data Safeguarding

• Zero Trust: Never trust external input. Sanitize and validate every data boundary (API, UI, CSV).
• Least Privilege: Grant minimum necessary permissions to users, services, and containers.
• No Hardcoded Secrets: Use environment variables or secret managers. Never commit keys or passwords.
• Encryption: Use modern, collision-resistant algorithms (AES-256 for data-at-rest; TLS 1.3 for data-in-transit).
• PII Logging: Never log PII (email, phone, names). Mask sensitive fields before logging.

🧱 Secure Coding Practices

• Injection Prevention: Use parameterized queries or ORMs to stop SQL, Command, and XSS injections.
• Dependency Management: Regularly scan (

  audit

  ) and update third-party libraries to patch CVEs.
• Secure Auth: Implement Multi-Factor Authentication (MFA) and secure session management.
• Error Privacy: Never leak stack traces or internal implementation details to the end-user.

🔍 Continuous Security

• Shift Left: Integrate security scanners (SAST/DAST) early in the CI/CD pipeline.
• Data Minimization: Collect and store only the absolute minimum data required for the business logic.
• Logging: Maintain audit logs for sensitive operations (Auth, Deletion, Admin changes).

Anti-Patterns

• No secrets in Git: Use secret managers or env vars; rotate immediately if exposed.
• No raw SQL strings: Use parameterized queries or ORMs — always.
• No stacktraces in prod: Return generic error codes; log full detail server-side.
• No default passwords: Force rotation on first use with strong entropy requirements.

📚 References

• Injection Testing Protocols (SQLi/HTMLi)
• Vulnerability Remediation & Secure Patterns