Cybersecurity Development & Code Security Rules

# Cybersecurity Development & Code Security Rules

## Secure Coding Fundamentals
- **Input Validation**: Validate all inputs at application boundaries
- **Output Encoding**: Encode outputs based on context (HTML, URL, SQL, etc.)
- **Authentication**: Implement strong authentication mechanisms
- **Authorization**: Use principle of least privilege
- **Session Management**: Secure session handling with proper timeout
- **Error Handling**: Never expose sensitive information in error messages

## Vulnerability Prevention
- **SQL Injection**: Use parameterized queries and prepared statements
- **XSS Prevention**: Sanitize and encode all user inputs and outputs
- **CSRF Protection**: Implement CSRF tokens for state-changing operations
- **XXE Prevention**: Disable external entity processing in XML parsers
- **Path Traversal**: Validate and sanitize file paths
- **Command Injection**: Never concatenate user input into system commands

## Data Protection & Privacy
- **Encryption**: Encrypt sensitive data at rest and in transit
- **Key Management**: Use proper key rotation and storage practices
- **PII Handling**: Implement proper handling of personally identifiable information
- **Data Minimization**: Collect and store only necessary data
- **Retention Policies**: Implement proper data retention and deletion
- **Access Logging**: Log all access to sensitive data

## API Security
- **Rate Limiting**: Implement proper rate limiting to prevent abuse
- **Authentication**: Use strong API authentication (OAuth2, JWT)
- **Input Validation**: Validate all API inputs including headers
- **CORS Configuration**: Implement proper CORS policies
- **API Versioning**: Use proper versioning to manage changes
- **Error Responses**: Standardize error responses without information disclosure

## Infrastructure Security
- **Secrets Management**: Use dedicated secrets management tools
- **Container Security**: Implement container scanning and runtime protection
- **Network Security**: Use proper network segmentation and firewalls
- **Monitoring**: Implement comprehensive security monitoring and alerting
- **Patch Management**: Regular security updates and vulnerability patching
- **Backup Security**: Secure backup processes and test recovery procedures

## Development Process Security
- **SAST**: Static Application Security Testing in CI/CD pipeline
- **DAST**: Dynamic Application Security Testing
- **Dependency Scanning**: Regular scanning for vulnerable dependencies
- **Security Reviews**: Include security review in code review process
- **Threat Modeling**: Regular threat modeling for new features
- **Security Testing**: Include security tests in test suites

## Incident Response
- **Detection**: Implement proper security monitoring and alerting
- **Response Plan**: Have documented incident response procedures
- **Communication**: Clear communication channels for security incidents
- **Forensics**: Preserve logs and evidence for investigation
- **Recovery**: Tested recovery procedures for security incidents
- **Learning**: Post-incident reviews and security improvements