1. Make good use of resources
Start with the security coding introductory resource. The Open Network Application Security Plan (OWASP) is actually an introductory resource for security coding. Its security coding "quick reference guide" is a good starting point and can be used as a review tool in the development process. Rest assured to make full use of their resources.
2. Adopt defensive programming skills
Doing so can avoid exploitable loopholes to some extent. One of them is equivalent comparison: put the constant in front of the comparison statement. If the constant is prefixed, if you accidentally bump the comparison operator (two equal signs "= =") into the assignment operator (one equal sign "="), you will get an error at compile or run time.
Step 3 clean up the data
Digital identity, especially consumer digital identity system, often calls external data sources. All data from external sources or provided by users should be regarded as untrustworthy. For Web clients, these data include data obtained from query strings or hash parameters, cookie, local storage, etc. For server-side applications, these data include data submitted through POST, GET, cookie, etc. Native applications often read configuration files, which may be deliberately tampered with.
In any case, one line of defense is data cleaning: make sure that the data only contains allowed characters/formats. One of the key points is to check the length of big data fields to avoid buffer overflow attacks.