5 Habits of a Security-Conscious Developer

Given the amount of security breaches that go on everyday, there is hardly any security-conscious developer (or any developer for that matter) that will say that security isn’t important. In fact, even non-developers and coders agree that security is important. But then why is it treated like an afterthought?

As a typical developer, what are the 3 things you are likely to leave for last? Without any hesitation, these would be:

1. Usability
2. Documentation
3. Security

This, in a way, is not some type of inherent failure on your part as a developer. It’s just that we’ve been used to working with a certain kind of flow. Why should I bother about security when I haven’t even made a successful database connection? Or Why stop to sanitise user-submitted data when all I’m trying to do is to get the records successfully submitted to the database?

The last thing we generally think about is security. We often write code with the impression that somehow security is a separate process or feature. But we have to adjust that behaviour and mindset.

As things become increasingly interconnected, web applications accessibility has gone beyond desktop interaction. There’s mobile connections as well behind-the-scene API connections. As a result there are habits that we must adopt to become more security-conscious developers and create more secure applications.

Here are 5 habits of a security-conscious developer:

1. Nothing is 100% Secured.

The only 100% secured application is one that is not yet hosted. And this is not to discourage us or make us loose hope. It’s to tell us to always be on the lookout because as things advance, the ways to hack and crack them also advances.

2. Never Trust User Input

This point cannot be overemphasised. Generally speaking most of the users of your application won’t necessarily be malicious. They would use it the way it was intended to be used. But there are others that would like to probe things out and be adventurous, and with this knowledge in mind you have to leave nothing to chance.

3. Defense in Depth is The Only Defense

Having layered defenses is much easier to implement (and so much harder to defeat) than a single strong point. This is classic military defensive strategy —create many obstacles and delays to stop or slow an attacker or keep them from reaching anything of value. Although in our context we’re not actually trying to hurt or kill anyone, what we are interested in is redundancy and independent layers. Anyone trying to penetrate one layer or overcome some kind of defensive barrier (authentication system, encryption, and so on) would only be faced with another layer.

4. The Simpler The Code, The Easier it is to Secure.

Having well structured classes and functions makes a code easy to read, easy to understand, and easy to debug. For instance, having a class that validates users’ input means that when something goes wrong with that section of your application, you don’t just begin to scout around. You know exactly where to check.

5. Peer Review is Critical to Security

You can only see and observe so much as a developer, probably because we tend not to be overly critical of ourselves. And we’re not saying having a critical trait is anything of some value, but that when our applications are reviewed by others, they are likely to see what we don’t or can’t and can offer us useful suggestions on how to tie a loose end.

Summary

In conclusion, securing your application is like having a door in your house or even a gate at your entrance. This will generally not stop a thief from coming in, but we don’t just leave the gate open for the thief to walk in unopposed. We have to create layers for an eventual defense.