The first step to creating a secure application
What every developer should do before they start writing code
I talk a lot about finding and fixing vulnerabilities on my blog. But what can you do to prevent vulnerabilities long before they arise? Today, let’s talk about the first step you can take towards a more secure app.
Often times, we think of patching vulnerabilities as that kind of keystroke, where if we find a vulnerability, or someone reports a vulnerability, we’ll fix it.
But there are many vulnerabilities that can actually be systematically avoided by designing and planning your application in a secure manner.
The first step in securing an application is therefore to identify the different requirements of your application and ensure that you plan for these features in a secure manner. Say you are building a messaging app, what are your app requirements?
This is a messaging app, so you’ll probably need a way to:
- let users send private messages,
- store and transport these messages,
- authenticate users and store users’ personal information, such as email addresses and friend lists,
- and determine which users can access which messages.
Understanding what you need to build your application will tell you what data you are protecting and what kind of security considerations you will have as you write code.
For example, in this case, you need to choose a secure way to authenticate users. Are you going to use a simple email and password setup? Are you going to use OAuth? And will you be implementing MFA for added security? What would be the most secure way to implement authentication in your context?
You may also need to store user passwords, which means selecting a secure hashing algorithm so as not to store passwords in plain text and choosing a secure location to store this data. Are you going to implement it yourself? Or subcontract to products specializing in data storage? What are the advantages and disadvantages of these options? What’s the safest way to store passwords based on your needs?
The cost of patching vulnerabilities is much lower if you do it early, because if you can choose the right implementation and the right dependencies to use at this point, you can naturally avoid many vulnerabilities. Deep-rooted security holes, such as insecure data storage or poor authentication, are very difficult to fix once you start developing the app, because if you want to modify a highly integrated component, you may need to also be modifying many other parts of your code. So, it is easier to have good security with the planning before you start coding.
Thanks for reading! What’s the hardest part of developing secure software for you? I would like to know. Do not hesitate to connect on Twitter @ vickieli7.
The first step to building a secure app was originally posted in ShiftLeft Blog on Medium, where people continue the conversation by highlighting and responding to this story.
*** This is a Syndicated Security Bloggers Network blog from ShiftLeft Blog – Medium written by Vickie Li. Read the original post at: https://blog.shiftleft.io/the-first-step-to-build-a-secure -application-701df67a6b11? source = rss —- 86a4f941c7da — 4