내가 매 배포 전에 사용하는 개발자 보안 체크리스트

Source: Dev.to

나는 보안 체크리스트를 모니터에 고정해 두고 있다. 이 체크리스트 덕분에 최소 열두 번은 취약점이 배포되는 것을 막을 수 있었다.

Code Examples

Password hashing (Python)

import bcrypt

def hash_password(plain_text):
    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(plain_text.encode(), salt)

def verify_password(plain_text, hashed):
    return bcrypt.checkpw(plain_text.encode(), hashed)

Email validation (Python)

import re

def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    if not re.match(pattern, email) or len(email) > 254:
        raise ValueError("Invalid email format")
    return email.lower().strip()

Safe SQL queries (Python)

# BAD
query = f"SELECT * FROM users WHERE id = {user_id}"

# GOOD
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

Security headers (NGINX)

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;

Environment variables (Python)

# BAD
DATABASE_URL = "postgresql://admin:password123@db:5432/prod"

# GOOD
import os
DATABASE_URL = os.environ["DATABASE_URL"]

Checklist

• Passwords hashed with bcrypt, scrypt, or Argon2
• Session tokens are random, long, and expire
• Failed login attempts are rate‑limited

Summary of security controls

• Auth: Passwords hashed, sessions expire, rate limiting on login attempts
• Input: All user input validated server‑side
• SQL: Parameterized queries everywhere
• XSS: All output escaped
• Headers: Security headers configured (see above)
• Secrets: No hard‑coded secrets; use .env files and keep them git‑ignored
• Dependencies: Run npm audit / pip-audit and keep results clean
• HTTPS: TLS everywhere, HSTS enabled
• Logs: Authentication events logged; no sensitive data in logs
• Backup: Database backup tested and verified

Resources

• CyberGuard Essentials (FREE) – Security fundamentals with practical examples
• CyberGuard Advanced ($11.99) – Penetration testing, threat modeling, advanced hardening

Print this checklist and pin it to your monitor.