If any potentially hazardous characters must be allowed as input, be sure that you implement additional controls like output encoding, secure task specific APIs, and accounting for the utilization of that data throughout the application.

Do not limit the type of files that can be uploaded to only those types that are needed for business purposes

A weakness that makes the system susceptible to attack or damage.

To take advantage of a vulnerability. Typically this is an intentional act designed to compromise the software's security controls by leveraging a vulnerability.

Sanitize all output of untrusted data to operating system commands

A set of controls that verify the properties of all input data matches what is expected by the application including types, lengths, ranges, acceptable character sets and does not include known hazardous characters.

It is a good practice to store passwords in plaintext

It is good practice to enforce account disabling after an established number of invalid login attempts

Authentication failure responses should indicate which part of the authentication data was incorrect.

All validation failures should result in input rejection

Require authentication for all pages and resources, except those specifically intended to be public.

Enforcing password complexity is not required in registration module

A set of controls used to verify the identity of a user or other entity interacting with the software.

Which of the following cannot be accepted as a guideline to writing secure codes?

A set of controls that grant or deny a user, or other entity, access to a system resource. This is usually based on hierarchical roles and individual privileges within a role but also includes system-to-system interactions.