Become a More Secure Software Developer

Want to become a more secure software developer? It can feel like a steep hill to climb, but just learning the basics will take you a long way in improving the security of your developed applications.

Want to become a more secure software developer? It can feel like a steep hill to climb, but just learning the basics will take you a long way in improving the security of your developed applications. The basics alone are enough to prevent 80% of security attacks. In today's post I share 5 ways you can become a more secure software developer, starting today.

Start Validating All User Input

One of the biggest security mistakes developers make time and time again is neglecting input validation and sanitisation. Even if you are building a backend system which should only have "friendly" users, neglecting this leaves you wide open to attack. For example, an outside attacker could gain access to your network, successfully acquire the access credentials of a user, and then take advantage of poor input validation to gain access to wider parts of the system.It's a really simple rule to remember, that will take any developer a long way: Do not trust ANY user input, EVER.If you start by assuming that every user using your application will be trying to attack it, you'll automatically think about how you validate every piece of user input, vastly improving security. If you only want the user to enter a digit, check that they've only supplied a digit. If you're accepting text, strip out anything which could cause harm, like HTML tags. Most languages have pre-built functions available for cleaning and validating user input. Use them.

Prevent Cross-Site Scripting (XSS) Attacks

It's not just enough to just sanitise data when a user inputs into your system. You also need to filter any output before you print it. On larger projects in particular, you're often working on systems which have multiple developers involved. Another developer could have forgotten to validate a user input somewhere, which leads to a vulnerability in what can be stored in your database.If you then just print the data out, you risk malicious code being displayed. One example of an XSS attack you can imagine is a web application. Imagine your application asks a user for their name, and another developer forgot to sanitise that particular user input properly.In your part of the application, you then print their name to a profile page. A maliciously inclined user decides to input their username as the following: "Ryan ". Your profile page will now display that malicious code, and include the remote javascript file. That javascript could do anything, from stealing visitors to that profile page's cookies and granting the attacker access to accounts they shouldn't have access to, to installing malware on any visitor's machine.

Implement Security Best Practices Throughout Development, Not At The End

We've talked earlier about how security implemented at the end of the software development lifecycle results in higher costs. It also results in more vulnerabilities being missed, and makes it very hard to develop a truly secure system.If you want to become a more secure software developer, you need to think about security at all stages of the software development process, from design onwards. As you work, think about ways attackers could potentially exploit what you're doing, and protect against them. It doesn't take more time to write a secure line of code, than an insecure line. It does, however, take a lot of time to identify an insecure line and fix it later.

Think About The Overall System, Not Just Individual Components

As you build web applications, start to think more about the entire system, rather than just individual aspects of it. Remember that just because your component is developed in a secure way, it doesn't mean that other components have been. When redundancy is possible, incorporate it.Think about what security mistakes in other components could mean for your particular component, and the overall impact that could have on the application.

Use Secure Storage for Passwords and Sensitive Data

After the major adobe password breach, the importance of this is highlighted. Make sure that when storing passwords you hash them, not encrypt them, and that you use a unique salt for each password you store, so things like password hints can't lead to someone with access to your userbase deducing what the most common passwords are, and which users may be using specific passwords.If you're storing sensitive information, like national insurance numbers, bank account details, or credit card information, then appropriate encryption needs to be used. Don't try to develop your own encryption, but use one of the major encryption algorithms developed and tested beyond exhaustion. Remember that no one gets fired buying industry-standard, military grade encryption. They do get fired for trying to be clever, and writing their own insufficient encryption algorithms, though. Not to mention, why invent the wheel? There's great encryption and hashing algorithms out there already. Time spent developing new ones which are less effective is only wasted.So there we have it, five ways you can become a more secure software developer, with minimal time investment.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.