The information in this page is for guidance only. It is not a complete list of all security measures you should take, and should not be taken as definitive advice.
Attackers can try to steal card data by exploiting weaknesses in your systems. To protect your data, and that of your customers, make sure that you implement the security measures described on this page.
Secure coding practices are essential for protecting your applications and systems from attackers and ensuring the integrity of your data. The most important secure coding practices are to:
- Avoid common vulnerabilities to prevent threats such as SQL injection and cross-site scripting.
- Implement a secure development lifecycle to integrate security throughout your development process.
- Use code analysis tools to identify vulnerabilities through static and dynamic analysis.
Requirements
Before you begin, check if the information on this page applies to you.
| Requirement | Description |
|---|---|
| Integration type | The information on this page is relevant for all Adyen integrations. |
Common vulnerabilities
Vulnerabilities in applications can be exploited by attackers to steal data or disrupt services. Here are some of the most frequently seen vulnerabilities and how to avoid them.
-
SQL injection: an attacker is able to execute SQL code by manipulating input fields.
To prevent SQL injection, use parameterized queries or prepared statements to ensure that user input is treated as data, not executable code. Validate and sanitize all input to ensure the input conforms to expected formats.
-
Cross-site scripting (XSS): an attacker injects malicious scripts into web pages that users are viewing.
To prevent XSS, encode output data to ensure that content provided by the user is treated as text, not executable code. Use secure frameworks that automatically handle encoding.
-
Cross-site request forgery (CSRF): after users have authenticated with an application, an attacker tricks the users into performing actions they did not intend to do.
To prevent CSRF, implement anti-CSRF tokens that validate requests and ensure they originate from legitimate sources. Require re-authentication for sensitive actions.
-
Insecure direct object references (IDOR): an application exposes internal implementation objects like files or database keys, enabling an attacker to gain access.
To prevent IDOR, implement access controls and authorization checks. Avoid exposing internal object references in URLs or form parameters.
Secure development lifecycle
Secure development lifecycle refers to integrating security into every phase of the software development process. The following table gives examples of what you can do in the main software development phases.
| Development phase | Security actions |
|---|---|
| Planning | Define security requirements based on business needs and regulatory compliance. Use threat modeling to identify potential threats and attack vectors. |
| Design | Create a secure architecture based on principles such as least privilege and secure defaults. Perform security design reviews. |
| Implementation | Follow secure coding guidelines to avoid vulnerabilities. Perform code reviews. |
| Testing | Use static analysis tools to identify vulnerabilities in the source code without executing it. Use dynamic analysis tools and penetration testing to evaluate the security of the running application. |
| Deployment | Ensure a secure configuration of the deployment environment, including servers, databases, and network components. Implement monitoring and logging to detect and respond to security incidents in real-time. |
| Maintenance | Set up patch management to address newly discovered security issues. Set up and maintain an incident response plan to quickly address security breaches. |
Code analysis tools
Code analysis tools are intended to identify security vulnerabilities, ensure code quality, and maintain compliance with secure coding standards.
Reasons to use code analysis tools are:
- Early detection: code analysis tools help detect vulnerabilities early in the development process, reducing the cost and effort it takes to fix security issues later.
- Consistency: code analysis tools provide a consistent and automated way to enforce security policies.
- Comprehensive coverage: code analysis tools can analyse a large codebase more thoroughly and quickly than a human reviewer.
To benefit the most from code analysis tools, you should:
- Integrate the tools into your development environment and CI/CD pipeline.
- Customize the tools to match your security requirements and coding standards, and to focus on the most critical issues for your application.
- Perform regular scans, for example during commits, build processes, and pre-release stages, to catch new vulnerabilities introduced during development.
- Use the reporting features to review the results of code scans, and prioritize fixing any identified vulnerabilities.