Name: Security best practices for Go & Java
Rating: 2.2 (4995 reviews)
Author: mohanarpit

TL;DR notes from articles I read today.

You should validate user entries (using native Go packages or 3rd party packages) not only for functionality but also to avoid attackers sending intrusive data.
Use HTML templates to cover the vulnerability of XSS. You can use the html/template package to sanitize JavaScript executables.
Ensure each database user has limited permissions, that you are validating user inputs and that you are using parameterized queries to protect yourself from SQL injections.
Make the best use of Go’s crypto package to encrypt sensitive information.
Enforce HTTPS communication and implement in-transit encryption even for internal communication.
Remember that error messages and error logs can expose sensitive information. Use the native library in Go for logs or third-party options like logrus, glog or logo.

Full post here, 6 mins read

Protect against SQL injections by binding variables in prepared statements, using the prepareStatement() function to validate inputs.
Returning mutable objects leaves you vulnerable to unexpected changes in your class state. Instead, use an unmodifiable/immutable collection or a copy of a mutable object to return.
Avoid including XSS characters in log messages. Manually sanitize each parameter and configure your logger service to replace such characters.
Always validate user input, especially when dealing with files whose location might be specified by user input.
Replace predictable random values (java.util.Random) based on clock tickets or other predictable parameters with a secure random class and functions.
Eliminate dynamic class loading.

Full post here, 4 mins read

More than 70% of exploited applications are due to outdated dependencies. Ensure dependencies are up to date by using the latest packages and automating dependency management.
Explicitly declare acceptable user payloads and use database-level constraints, like maximum column size, refusing null values, etc.
Assert safe regular expressions.
Limit requests by IP address or user agent.
Store credentials outside your codebase, separating application configuration from code.
Disable HTTP requests to your server unless very specific use cases demand it. Enable certificate checking for outgoing connections so that communication with third-party APIs or services are also secured by HTTPS.

Full post here, 9 mins read