secure coding

Secure coding practices encompass writing code that resists common vulnerabilities by validating and sanitizing inputs, applying least privilege, using safe APIs, managing secrets, keeping dependencies updated, and employing static/dynamic analysis and OWASP guidelines to prevent SQL injection, XSS, buffer overflows, and similar issues.

securecoding

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

Secure coding for web applications: Frameworks, challenges, and the role of LLMs

Jul 29, 2025
KK
Kiana Kiashemshaki
🏛️ Bowling Green State University | University of Nebraska-Lincoln | Stevens Institute of Technology

This study addresses the low industrial adoption of secure web application coding practices by systematically analyzing organizational, educational, and technical barriers. Methodologically, it develops a structured threat classification framework grounded in OWASP Top 10, integrating DevSecOps and cloud security contexts; conducts a comparative analysis of secure coding practices across mainstream web frameworks; and—novelly—empirically evaluates large language models (LLMs) on vulnerability detection and secure code generation for four critical vulnerability classes: SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure deserialization. The approach combines systematic literature review, threat modeling, framework-level comparative analysis, and LLM-driven empirical evaluation. Results demonstrate LLMs’ measurable efficacy—and clear limitations—in automated vulnerability identification and remediation suggestion. The work delivers an integrable, intelligent secure coding assistance framework, offering practitioners, educators, and researchers actionable insights to enhance secure development efficiency and inform future AI-augmented security tooling.

Analyzing secure coding adoption barriers in web developmentComparing frameworks and threats for secure coding practicesEvaluating LLMs' role in detecting and suggesting secure code

Secure Code Generation at Scale with Reflexion

Nov 05, 2025
AD
Arup Datta
🏛️ University of North Texas

This work addresses the critical issue that large language models (LLMs) often generate functionally correct yet insecure code. To tackle this, we propose a three-round dynamic reflection prompting method for security-driven code generation. Our approach integrates the Instruct Prime evaluation framework under a zero-shot setting and introduces an Insecure Code Detector (ICD) to identify vulnerabilities, quantifying security performance via Repair, Regression, and NetGain metrics. Experiments demonstrate an average improvement in security accuracy from 70.74% to 79.43%, with the first two reflection rounds delivering the majority of gains. Security enhancements are most pronounced for Python, while C/C# show more limited improvements. The method excels at mitigating template-based vulnerabilities—such as XSS and hardcoded secrets—but exhibits lower efficacy against non-template ones. To our knowledge, this is the first work to systematically apply multi-round reflection for code security enhancement, establishing a scalable, security-aware paradigm for LLM-based code generation.

Evaluating secure code generation in large language models using reflexion promptingImproving code security through iterative reflexion prompting with diminishing returnsMeasuring security vulnerabilities across programming languages and CWE families

Existing security-coding datasets suffer from insufficient grounding in real-world security incidents, limited scale, and absence of production-environment operational context—hindering robust AI model training and practical deployment. To address this, we propose an *incident-grounded* construction paradigm and introduce the first production-grade security-coding dataset: comprising 1,215 CVE-anchored vulnerability–patch code pairs across 11 risk categories and 11 programming languages. It features a four-turn dialogue structure to simulate human–AI collaboration, integrates SIEM policies, infrastructure hardening (Docker/AppArmor/WAF), and language-specific testing frameworks. We establish a structured validation framework, multilingual security test suites, and an extended OWASP Top 10:2025+AI threat taxonomy. The dataset is partitioned into 989/122/104 samples for training/validation/testing and is fully open-sourced. Empirical evaluation demonstrates substantial improvement in model-generated code’s security compliance rate.

AI assistants produce vulnerable code in nearly half of security-relevant scenariosCurrent training data doesn't scale for modern AI security-aware code generationExisting datasets lack real security incidents and operational context for developers

This work addresses the persistent challenge of content composition vulnerabilities in software, which remain difficult to mitigate through developer training, static analysis, or templating languages, and are often reproduced in AI-generated code. The paper proposes a general-purpose secure content composition framework that incrementally extends the string expression syntax of general-purpose programming languages to enable precise security analysis and optimization at compile time. Its core innovation lies in a language design principle that minimizes the lexical distance between secure and insecure idioms, combined with dynamic-semantics-informed static analysis, compile-time diagnostics, and library-based encapsulation of secure logic. This approach facilitates collaborative remediation by both developers and AI systems, offering strong compile-time safety guarantees while maintaining performance comparable to native string concatenation, thereby significantly enhancing both the security and usability of string composition.

AI code generationcompile-time securitycontent composition vulnerabilities

This study addresses the significant inaccuracies of existing static analysis tools in evaluating the security of code generated by large language models (LLMs), which often fail to reliably identify genuine vulnerabilities. The work presents the first systematic investigation of this issue and introduces a human-verified benchmark dataset of secure and vulnerable code samples to assess the performance of widely used tools such as CodeQL and Semgrep, revealing sample-level accuracy rates of only 61% and 65%, respectively. To mitigate these limitations, the authors propose a dynamic retrieval-augmented generation (RAG) framework that integrates continuous human feedback, enabling persistent knowledge reuse and iterative improvement of security capabilities. Experimental results demonstrate that this approach substantially enhances the accuracy and reliability of LLMs in both secure code generation and vulnerability detection.

Human FeedbackLLMsSecure Code Generation

Latest Papers

What's happening recently
View more

Existing approaches to secure code generation lack robustness validation under adversarial prompts, and their security and functional evaluations are often decoupled, leading to inflated performance claims. This work proposes the first adversarial evaluation framework specifically designed for secure code generation systems, which jointly assesses both security and functionality of prominent methods—SVEN, SafeCoder, and PromSec—under unified conditions. The framework simulates realistic development or attack scenarios through prompt perturbations, including rewriting, cue inversion, and context manipulation. Experiments reveal that static analyzers overestimate security by 7–21×, and 37%–60% of outputs deemed “secure” are in fact non-functional. Under adversarial perturbations, the rate of truly secure and usable code drops sharply to 3%–17%. This study establishes a joint evaluation paradigm and best practices that holistically account for both security and functionality.

adversarial promptsfunctional correctnessLLM robustness

This study investigates the impact of minimal prompt perturbations on the security of code generated by large language models. By introducing single-character perturbations across three prominent models and five programming languages, the authors systematically analyze the mechanisms through which such subtle changes induce security vulnerabilities, leveraging token-level mutations, hidden state probing, and AUC-based evaluation. The work reveals for the first time that even a single-character modification can transform otherwise secure code into vulnerable outputs. Furthermore, input-handling vulnerabilities (AUC = 0.753) are shown to be more predictable than those related to insecure defaults (AUC = 0.674). Building on these findings, the paper proposes differentiated defense strategies, including pre-generation detection and in-decoding intervention, to mitigate the risks posed by prompt-level perturbations.

code vulnerabilitiescoding assistantsLLM security

Developers often inadvertently introduce vulnerabilities due to insufficient security knowledge and code complexity, while traditional tools only detect issues post hoc, incurring high remediation costs. This work proposes a proactive prevention approach that identifies methods implementing security-critical functionalities—such as authentication and input handling—using code-level security-aware metrics. These metrics are integrated with a large language model (LLM) to generate actionable, preventive explanations, which are embedded directly into the development workflow to enhance secure coding practices. A prototype plugin implemented in IntelliJ IDEA was evaluated on the Spring-PetClinic application, demonstrating that the selected metrics effectively pinpoint known security-critical methods and that the LLM-generated explanations are both practical and prevention-oriented.

code complexitysecure implementationsecurity vulnerabilities

This work addresses the persistent issue that large language models frequently introduce verifiable security vulnerabilities in code generation, even when explicitly instructed to avoid them. To mitigate this, the authors propose SecureForge, the first framework that automatically refines system prompts using vulnerability audit feedback. By identifying benign prompts that inadvertently induce vulnerabilities, SecureForge employs Markov-chain sampling to generate diverse synthetic training data and iteratively optimizes system prompts—achieving zero-shot generalization without relying on real user data. Experimental results demonstrate that this approach reduces security vulnerabilities by up to 48% across mainstream large language models while maintaining or improving unit test pass rates, thereby achieving a Pareto improvement in both security and functional correctness.

code securitycybersecurity vulnerabilitiesLLM-generated code

JavaScript code obfuscation can evade static application security testing (SAST) tools, leading to undetected vulnerabilities and a false sense of security in the software supply chain. This work constructs a realistic threat model for software supply chains and presents the first systematic evaluation of eight semantics-preserving obfuscation techniques—individually and in combination—against mainstream JavaScript SAST tools, namely Njsscan and Bearer. Through a two-phase empirical analysis using both OWASP Benchmark applications and real-world GitHub projects, the study introduces a quantitative metric termed Vulnerability Detection Loss (VDL). Results demonstrate that even a single obfuscation technique significantly suppresses the detection of high-severity vulnerabilities, while multiple combined obfuscations drive VDL close to 100%, exposing fundamental fragility and a critical lack of robustness in current SAST tools when confronted with common obfuscation strategies.

code securityJavaScript obfuscationsoftware supply chain

Hot Scholars

GC

Giuseppe Caire

Professor, Technical University of Berlin, Germany, and Professor of Electrical Engineering (on
Information TheoryCommunicationsSignal ProcessingStatistics
HB

Holger Boche

Technische Universität München
Information TheorySignal ProcessingCommunication Theory
CD

Christian Deppe

Technische Universität Braunschweig
Information TheoryQuantum Communication NetworksQuantum CommunicationPost Shannon Theory
MS

Mikael Skoglund

KTH Royal Institute of Technology
Information TheoryCommunicationsSignal Processing
GG

Gennian Ge

Capital Normal University
CombinatoricsCoding theoryInformation Security