5 Security Checks Every Developer Should Run Before Pushing Code

As developers, we often focus on writing clean, functional code. However, one thing we can't overlook is security. A single oversight can lead to vulnerabilities that compromise user trust and expose sensitive data. In this article, I'll walk through five essential security checks every developer should perform before pushing their code. These steps are not just best practices—they're critical for protecting your application.

---

1. Validate All User Inputs

Why it matters:

Input validation is the first line of defense against attacks like injection vulnerabilities (e.g., SQL, XSS). If user input isn't properly validated, attackers can inject malicious code or manipulate data to access unauthorized information.

How to do it:

• Use pre-built libraries: Frameworks like Django and Ruby on Rails have built-in validation features.
• Sanitize inputs: Remove or escape special characters that could be used in attacks.

Example (Insecure):

# Vulnerable code: No input validation
user_input = request.form['name']
print(user_input)

Example (Secure):

# Safe practice: Use validation and sanitization
from flask import Flask, request
from bleach import clean

app = Flask(__name__)

@app.route('/submit', methods=['POST'])
def submit():
    user_input = request.form['name']
    safe_input = clean(user_input)
    return f"Hello, {safe_input}"

if __name__ == '__main__':
    app.run()

Tools:

• Semgrep: A tool that scans code for security issues and enforces best practices.
• OWASP ZAP: An open-source web application security scanner.

---

2. Prevent SQL Injection

Why it matters:

SQL injection attacks occur when an attacker manipulates database queries to access or modify data. This can lead to data breaches or unauthorized database access.

How to do it:

• Use prepared statements: These separate code from data, preventing injection.
• Avoid using mysqli functions directly; use ORM libraries instead.

Example (Insecure):

# Vulnerable code: Directly injecting user input into SQL
$username = $_GET['username'];
$sql = "SELECT * FROM users WHERE username = '$username'";

Example (Secure):

# Safe practice: Use prepared statements with placeholders
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param('s', $username);
$stmt->execute();

Tools:

• Bandit: A Python AST-based tool that checks for security issues in code.
• Snyk: A developer-friendly tool that integrates with your CI/CD pipeline to detect vulnerabilities.

---

3. Handle Errors Safely

Why it matters:

Error messages can leak sensitive information if not handled properly. Attackers often use these leaks to gain insights into system configurations or data structures.

How to do it:

• Log errors internally: Avoid exposing error details in responses.
• Redact sensitive information from logs and messages.

Example (Insecure):

# Vulnerable code: Revealing database connection details
try:
    # Database operation
except Exception as e:
    print(f"Database error: {e}")

Example (Secure):

# Safe practice: Log errors without exposing sensitive data
import logging

logging.basicConfig(level=logging.INFO)

try:
    # Database operation
except Exception as e:
    logging.error(f"Database connection failed. Details redacted.")

Tools:

• Sentry: For monitoring and handling exceptions in production.
• Datadog: Provides error tracking with sensitive data masking.

---

4. Keep Dependencies Updated

Why it matters:

Outdated dependencies can introduce vulnerabilities. Attackers often exploit known issues in outdated libraries to gain access to systems.

How to do it:

• Regularly update packages: Use tools like npm audit, pip install --upgrade, or yarn up.
• Monitor for CVEs (Common Vulnerabilities and Exposures).

Example (Insecure):

# package.json with outdated dependencies
{
  "name": "my-app",
  "version": "1.0.0",
  "dependencies": {
    "express": "^4.16.1"
  }
}

Example (Secure):

# Updated dependencies
{
  "name": "my-app",
  "version": "1.0.0",
  "dependencies": {
    "express": "^4.18.2"
  }
}

Tools:

• npm audit: Checks for vulnerabilities in your Node.js packages.
• Yarn: Manages dependencies and provides security updates.

---

5. Harden Your Environment

Why it matters:

Even with secure code, a misconfigured environment can expose sensitive data or allow unauthorized access.

How to do it:

• Use environment variables for secrets: Never hardcode credentials.
• Implement Web Application Firewalls (WAF).

Example (Insecure):

# Exposing API keys in code
const apiKey = 'sk-123456789abc';

Example (Secure):

# Using environment variables
require('dotenv').config();
const apiKey = process.env.API_KEY;

Tools:

• Docker: For containerizing applications with secure configurations.
• AWS WAF: Protects web applications from common vulnerabilities.

---

Conclusion

Incorporating these five security checks into your development workflow can significantly reduce the riskof vulnerabilities in your codebase. Remember:

1. Validate inputs - First line of defense
2. Prevent SQL injection - Use prepared statements
3. Handle errors safely - Don't leak sensitive info
4. Keep dependencies updated - Patch known vulnerabilities
5. Harden your environment - Secure your infrastructure

While these manual checks are essential, automating them saves time and catches issues consistently. Tools like SAGE can run continuous security reviews on your codebase, flagging vulnerabilities before they reach production.

Whatever tools you choose, the key is making security part of your daily workflow—not an afterthought.

---

What security checks do you run before pushing code? Share your tips in the comments!