Sep 05, 2018
No software developer wants to admit that the code they write might not be secure. Most experienced software developers have some understanding of common security issues, but no one developer can ever know everything. In today's post I share some of the most common security blunders software developers make. Ask yourself -- are you guilty of any of these? Is your team?
Do You Trust User Input?
Secure software developers know that they can never trust user input. Even if you're making an admin console, designed only to be used by a small subset of trusted users, there's risk from user input. What if someone gets a user's username/password, for example? What if a user accidentally makes an input that causes damage? Trusting user input can lead to SQL injection attacks, XSS attacks, buffer overuns, and more.
Do You Model Threats to Your Software?
Secure software developers use threat modelling to understand the potential risks to their software, and how they might be exploited. Threat modelling allows you to determine whether the defences you're building into your code are appropriate or not. If you don't know how an attacker is likely to try and attack your software, or why, how can you secure it?
Do You Own Your Code?
Many software developers fall down when it comes to security by not taking ownership of their code. They think that code reviews, or other security assessments that take place after their code is written will identify any mistakes, and resolve them. If you want to be a secure software developer, you need to start taking responsibility for your code. Do everything you can to make sure your code is secure, before it's passed on to anyone else. Code reviews, penetration tests, and other security techniques should never be a crutch -- they can't catch everything.
Do You Use Your Own Encryption?
Some developers try to develop their own encryption (or hashing) methods, usually using logic along the following lines: If I develop my own encryption methods, they're not available to the public, and will therefore be more secure. This is poor reasoning. The encryption you develop yourself will never be as secure as the tried and trusted algorithms tested, used, and improved by millions of people and organisations worldwide, from banks to governments. Just because they are open source, doesn't mean that they are less secure. Someone attacking your software will use all the tools at their disposal, and many would be able to break custom developed encryption algorithms in a matter of hours. Trying to develop your own encryption methods is a waste of time, too. Don't re-invent the wheel! There's a great discussion about the best encryption and hacking algorithms to use on Stack Overflow.
Do You Keep Yourself Informed?
The software development world evolves at a rapid pace. Popular languages change, frameworks evolve and the platforms we build our software on transform. This all makes for a constantly evolving collection of best practices for secure software development. Software developers which are serious about writing secure code stay on top of these changes. Unfortunately, many software developers fail to update their knowledge, constantly re-applying their old bad habits. Stay informed. Subscribe to security blogs, and encourage your company to invest in regular security training for software developers.