In previous chapters, you have already read about best practices for writing PowerShell code. In addition, we will add some more advice here. These will be things that most software developers learn very early in their career, but as you know, PowerShell users are very rarely real software developers. Most PowerShell users actually come from the operations area and are trying to automate operational tasks. The following practices are described by the Open Web Application Security Project (OWASP) and include, in our opinion, the most important topics:
- Input validation
- Output encoding
- Authentication and password management
- Session management
- Access control
- Cryptographic practices
- Error handling and logging
- Data protection
- Communication security
- System configuration
- Database security
- File management
- Memory management
- General coding practices
Although many of these topics are dedicated to web development, we can find some in here that are frequently disrespected in many PowerShell scripts, for example Access Control and Authentication and Password Management. It is still necessary to advise that passwords and credentials should never be placed in PowerShell scripts. Yes, never.
As PowerShell is based on .NET, we can also take a dedicated look at the secure coding guidelines for .NET.
It is good to have a read of those to become familiar with the basics of secure coding. You need to always keep in mind that most of your scripts are being executed with higher privileges by users and sometimes by service accounts, such as in scheduled tasks.