SCP13 General Coding Practices
What this means
SiteShadow flagged general coding practices that increase security risk by making code harder to review, test, and operate safely (duplication, unclear ownership, silent failure, overly complex functions).
Why it matters
Poor coding practices hide security issues and slow remediation.
- Security bugs survive longer when code is hard to reason about.
- Regressions happen when there are no tests or consistent patterns.
- Operational mistakes increase when config/behavior is unclear.
Safer examples
1) Prefer small, testable units
Break large handlers into small functions and add unit + integration tests around security boundaries.
2) Don't swallow exceptions silently
Fail closed for security checks; log safely (see SCP07 / E01).
3) Make defaults safe and explicit
Avoid "debug by default", avoid permissive fallbacks, and make insecure modes refuse to run in production.
How SiteShadow detects it (high level)
- Uses structural heuristics (very large functions, high complexity, high duplication) as "risk multipliers".
- Flags patterns correlated with security bugs (exception swallowing, risky defaults, missing tests/guards).
References
- OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
---