Given all of these types of attacks and the stakes involved in building a web application, you’ll rarely (if ever) meet a developer who will publically say, “Security isn’t important.” In fact, you’ll likely hear the opposite, communicated in strident tones, that security is extremely important. However, in most cases, security is often treated as an afterthought.
In today’s world, we are becoming increasingly interconnected with mobile. Web applications in particular are no longer being accessed by stodgy web browsers available only on desktop or laptop computers. They’re being hit by mobile devices and behind the-scenes APIs. They’re often being mashed up and remixed or have their data transformed in interesting ways. For these and many other reasons, developers need to take on a few habits—habits that will make them into more security-conscious developers. Here are five habits that will get you started.
1. Nothing Is 100% Secure
There’s an old joke in computer security circles that the only truly secure computer is one that’s disconnected from all power and communication lines, and locked in a safe at the bottom of a reinforced bunker surrounded by armed guards. Of course, what you’ve got then is an unusable computer, so what’s the point, really?
It’s the nature of the work we do: nothing we can ever do, no effort, no tricks, nothing can make your application 100% secure. Protect against tainted user input, and someone will try to sneak a buffer overflow attack past you. Protect against both of those, and they’re trying SQL injection. Or trying to upload corrupt or virus-filled files. Or just running a denial of service attack on you. Or spoofing someone’s trusted identity. Or just calling up your receptionist and using social engineering approaches to getting the password. Or just walking up to an unsecured physical location and doing their worst right there.
Why bring this up? Not to discourage or disillusion you, or make you walk away from the entire security idea entirely. It’s to make you realize that security isn’t some monolithic thing that you have to take care of—it’s lots and lots of little things. You do your best to cover as many bases as you can, but at some point, you have to understand that some sneaky person somewhere will try something you haven’t thought of, or invent a new attack, and then you have to respond.
2. Never Trust User Input
Most of the users who will encounter your web application won’t be malicious at all. They will use your application just as you intended, clicking on links, filling out forms, and uploading documents at your behest.
A certain percentage of your user base, however, can be categorized as “unknowing”. This category describes a large group of people who do things without much forethought, ranging from the innocuous (trying to put a date into a string field) to the merely curious (“What happens if I change some elements in the URL, will that change what shows up on the screen?”) to the
possibly fatal (at least to your application, like uploading a resume that’s 400 MB in size).
Then, of course, there are those who are actively malicious, the ones who are trying to break your
forms, inject destructive SQL commands, or pass along a virus-filled Word document.
3. Defence in Depth Is the Only Defence
There will almost never be a scenario in which a single line of defence will be enough. Even if you only allow users to submit forms after they log in to a control panel, always sanitize form input. If they want to edit their own profile or change their password, ask them to enter their current password one more time. Don’t just sanitize uploaded files, but store them using encryption so that they won’t be useful unless decrypted. Don’t just track user activity in the control panel with a cookie, but write to a log file, too, and report anything overly suspicious right away. Having layered defences is much easier to implement (and so much harder to defeat) than a single strong point. This is classic military defensive strategy —create many obstacles and delays to stop or
slow an attacker or keep them from reaching anything of value.
4. Simpler Is Easier to Secure
If you’ve been a developer for any amount of time, then you’ve probably run into lots of code that just
makes your head hurt to look at. Convoluted syntax, lots of classes, a great deal of includes or requires,
and any other techniques might make it hard for you to decipher exactly what is happening in the code.
Small pieces that are joined together in smart, modular ways, where code is reused across different
systems, are easier to secure than a bunch of mishmash code with HTML, PHP, and SQL queries all
thrown into the same pot.
The same thing goes for security. If you can look at a piece of code and figure out what it does in a
minute, it’s a lot easier to secure it than if it takes you half an hour to figure out what it does.
5. Peer Review Is Critical to Security
Your security is almost always improved when reviewed by others. You can say to yourself that you will just keep everything hidden or confusing, and thus no one will be able to figure out how to bypass what you’re doing, but there will come a day when a very smart someone will make your life intolerable. A simple peer review process at regular intervals can keep bad things from happening to you and your application. Simple reminders to secure against cross-site scripting or suggestions for encryption approaches will almost always make your code more secure
There are other habits, no doubt, but these will get you started.