Privacy is one of our valuable goods and attackers around the world have started to take this sensitive information away. Research has shown that private data of more than 3 billion humans has been stolen within the last ten years.
The recent attack against the U.S. consumer credit score provider Equifax for instance discovered a massive volume of 2.4 million customers.
It’s our common responsibility to develop systems with security in mind. Functionality has been NR 1 priority for too many years. This time is gone now and we need to realize that application security is a must for all our internal and external applications. In this post I will share some hints about secure software development every developer, tester and designer should know.
- Never trust user input – All user input should be considered ‘evil’ until validated otherwise
- Use a layered approach to security testing to dramatically cut down on security issues before deployment
- Use generic error messages like “Incorrect username or password” to keep brute force attacks at bay. Never tell the user what the wrong data was.
- Consider breaking the build for medium and high-risk findings, and never ship with potentially dangerous vulnerabilities
- Using third-party code? Either run security tests on the original code or insist on a security analysis report from the code supplier
- Apply a hashing algorithm using salt to your user’s passwords before storing them in your database
- Separate your application’s dynamic content from your static content
- Test your code throughout the SDLC to save time and money in the long run
- Implement two-factor authorization wherever possible and logical
- Limit application permissions only to components required for the app to function properly.
- Implement SSL or TLS and ensure HTTPS is used.
- Iinvalidate user sessions upon logout or after a certain length of time
- Protect user interface data and user credentials by storing them properly using encryption
- Ensure your app meets all necessary regulatory and compliance requirements, especially for financial and health apps
- Don’t allow third party keyboard use for iOS apps when sensitive content is entered
- Involve the security team in your feedback loop, offering your feedback and requesting theirs on the current state of security in your builds
- Teach the security team about how your team writes code, so they can better understand how and where security can be integrated
- Establish a shared discipline of agile development between the develop, ops, and security – throughout the SDLC
- Push smaller releases more often to lower the overall risk posture of the applications
- Dive into the OWASP Top 10 and learn all you can about the 10 most dangerous vulnerabilities that should be prevented or fixed in code
- Develop a work relationship with a member of the security team who you feel comfortable asking security questions and answering coding questions
- Get involved in the threat modeling process to better understand the risks involved in application design and development
- Learn how to use the security tools whether you get formal lessons or not – educating yourself in secure coding will take you further in your career!
Your path to a secure software development chain
- Build Awareness
- Create your Security Requirements
- Consider Secure Coding Practices
- Secure Code Scan
- Functional Security Tests
- Application Scans, Penetration Tests
For any questions concerning secure software development please contact me.
Keep doing the good things!