The following checklist identifies basic security issues that should be checked at every patch check-in. This checklist represents first-line security control against vulnerable code making it to production. This is considered a starting point and the community is encouraged to get involved to improve this list.

Scenarios where this checklist could be used:

a. Review another developer's patch against secure coding best practices.

b. Review own patch against secure coding best practices.

c. Retroactively review a code module against secure coding best practices.

Secure Coding Checklist:

1- Contextual encoding is applied:

Ensure that all dynamic data is properly encoded to prevent cross-site scripting attacks.

Code Review Tasks:

2- Sanitize user data:

Ensures that user-supplied data is properly sanitized to prevent cross-site scripting and injection attacks.

Code Review Tasks:

3- Use parameterized SQL statements:

Ensures that SQL statements are securely constructed to prevent SQL injection attacks.

Code Review Tasks:

4- File Upload/Download:

Ensures that proper procedures have been followed to prevent path manipulation attacks and unauthorized attempts to access the file system.

Code Review Tasks:

5- Forms should be protected with a token:

Ensures that proper procedures have been followed to prevent cross-site request forgery (CSRF) attacks.

Code Review Tasks:

6- Check authentication status if appropriate:

Ensures that proper checks have been made to prevent insufficient authentication attacks.

Code Review Tasks:

7- Check authorization status if appropriate:

Ensures that proper checks have been made to prevent unauthorized data access.

Code Review Tasks:

8- The patch does not perform a redirect based on user-controllable data:

Ensures that proper checks have been made to prevent open-redirects and HTTP splitting attacks.

Code Review Tasks:

9- The patch does not disable any security configuration accidentally:

Ensures that proper controls are in place to prevent against insecure configuration issues.

Code Review Tasks: