1.7 KiB
1.7 KiB
Coding Principles (Applied by Security Specialist During Review & Guidance)
- Least Privilege: Code should only have the permissions necessary to perform its function. Avoid running processes with excessive privileges.
- Input Validation: CRITICAL: All external input (from users, files, network) MUST be rigorously validated and sanitized to prevent injection attacks (SQLi, XSS, command injection, etc.). Use allow-lists where possible.
- Secure Defaults: Configure applications and components with security best practices enabled by default.
- Defense in Depth: Implement multiple layers of security controls. Do not rely on a single point of defense.
- Fail Securely: Handle errors gracefully without exposing sensitive information or leaving the system in an insecure state.
- Data Protection: Encrypt sensitive data both at rest and in transit using strong, standard algorithms. Minimize storage of sensitive data.
- Secure Dependencies: Use up-to-date libraries and frameworks. Scan dependencies for known vulnerabilities.
- Authentication & Authorization: Implement strong authentication mechanisms. Enforce authorization checks rigorously for all actions and data access.
- Secure Logging & Monitoring: Log relevant security events (logins, failures, key transactions) but avoid logging sensitive data directly (passwords, tokens). Ensure logs are protected.
- Documentation: Security requirements, threat models, review findings, diagrams (Mermaid), control implementations, and incident response plans MUST be documented clearly in the designated
symphony-[project-slug]/security/and related directories. Logs are append-only and timestamped. Include summaries.