Sanitize all output of untrusted data to operating system commands

Require authentication for all pages and resources, except those specifically intended to be public.

A set of controls that verify the properties of all input data matches what is expected by the application including types, lengths, ranges, acceptable character sets and does not include known hazardous characters.

A set of controls used to verify the identity of a user or other entity interacting with the software.

Which of the following cannot be accepted as a guideline to writing secure codes?

If any potentially hazardous characters must be allowed as input, be sure that you implement additional controls like output encoding, secure task specific APIs, and accounting for the utilization of that data throughout the application.

Do not limit the type of files that can be uploaded to only those types that are needed for business purposes

All validation failures should result in input rejection

It is good practice to enforce account disabling after an established number of invalid login attempts

Authentication failure responses should indicate which part of the authentication data was incorrect.

Enforcing password complexity is not required in registration module

To take advantage of a vulnerability. Typically this is an intentional act designed to compromise the software's security controls by leveraging a vulnerability.

A set of controls that grant or deny a user, or other entity, access to a system resource. This is usually based on hierarchical roles and individual privileges within a role but also includes system-to-system interactions.

It is a good practice to store passwords in plaintext

A weakness that makes the system susceptible to attack or damage.