on Apr 03, 2017
Want to become a more secure software developer? It can feel like a steep hill to climb, but just learning the basics will take you a long way in improving the security of your developed applications. The basics alone are enough to prevent 80% of security attacks. In today's post I share 5 ways you can become a more secure software developer, starting today.
Start Validating All User Input
One of the biggest security mistakes developers make time and time again is neglecting input validation and sanitisation. Even if you are building a backend system which should only have "friendly" users, neglecting this leaves you wide open to attack. For example, an outside attacker could gain access to your network, successfully acquire the access credentials of a user, and then take advantage of poor input validation to gain access to wider parts of the system.It's a really simple rule to remember, that will take any developer a long way: Do not trust ANY user input, EVER.If you start by assuming that every user using your application will be trying to attack it, you'll automatically think about how you validate every piece of user input, vastly improving security. If you only want the user to enter a digit, check that they've only supplied a digit. If you're accepting text, strip out anything which could cause harm, like HTML tags. Most languages have pre-built functions available for cleaning and validating user input. Use them.
Prevent Cross-Site Scripting (XSS) Attacks
Implement Security Best Practices Throughout Development, Not At The End
We've talked earlier about how security implemented at the end of the software development lifecycle results in higher costs. It also results in more vulnerabilities being missed, and makes it very hard to develop a truly secure system.If you want to become a more secure software developer, you need to think about security at all stages of the software development process, from design onwards. As you work, think about ways attackers could potentially exploit what you're doing, and protect against them. It doesn't take more time to write a secure line of code, than an insecure line. It does, however, take a lot of time to identify an insecure line and fix it later.
Think About The Overall System, Not Just Individual Components
As you build web applications, start to think more about the entire system, rather than just individual aspects of it. Remember that just because your component is developed in a secure way, it doesn't mean that other components have been. When redundancy is possible, incorporate it.Think about what security mistakes in other components could mean for your particular component, and the overall impact that could have on the application.
Use Secure Storage for Passwords and Sensitive Data
After the major adobe password breach, the importance of this is highlighted. Make sure that when storing passwords you hash them, not encrypt them, and that you use a unique salt for each password you store, so things like password hints can't lead to someone with access to your userbase deducing what the most common passwords are, and which users may be using specific passwords.If you're storing sensitive information, like national insurance numbers, bank account details, or credit card information, then appropriate encryption needs to be used. Don't try to develop your own encryption, but use one of the major encryption algorithms developed and tested beyond exhaustion. Remember that no one gets fired buying industry-standard, military grade encryption. They do get fired for trying to be clever, and writing their own insufficient encryption algorithms, though. Not to mention, why invent the wheel? There's great encryption and hashing algorithms out there already. Time spent developing new ones which are less effective is only wasted.So there we have it, five ways you can become a more secure software developer, with minimal time investment.