This past week during my 100 days of hacking challenge, I started to dive deeper into the fundamentals of security and exactly why we as developers should learn to implement security into our code. Cybersecurity and software engineering are commonly seen as two separate specialties without much overlap, other than maybe an intro class or two for Computer Science students and a few dedicated minutes in a lecture for bootcamp grads if they're lucky.
When I initially started to learn to code, I tried to ask around for advice on how I could integrate my passion for web security with software engineering. The general consensus that I received at that time, was that they are two separate things and that the frameworks learned in school were enough and that I didn't need to concern myself with the security aspect. Something about that just didn't sit right with me, and as I've started to learn more about breaking applications through Bugcrowd's bug bounty mentorship program, my stance that all developers should learn more about implementing security in their code is enforced.
Using a framework is a common practice during development, because they abstract a lot of logic, in turn, saving a lot of time. However, using a framework without an understanding of how it works or the potential risks can put the security of your application in jeopardy. A single line of defective code can render an organization's internal systems to vulnerabilities. Many companies use the same frameworks and dependencies. This means when a vulnerability is discovered within these tools it puts all of the companies using them at risk. More so if they aren't making sure to update their dependencies and taking action against these risks. While efficiency and agility often take priority during development, without security built into the application the attack surface is greatly increased.
When developing an application, you should consider things like:
- What should this application do?
- How should this application behave?
- What are my inputs? (form fields, query parameters, local storage, embedded css, etc)
- What are my outputs?
- What potential weaknesses could be taken advantage of by a hacker?
While software engineering and cybersecurity should still be viewed as their own specialties, there are many benefits for developers learning the basics of integrating security into their coding practices. By having developers be part of the solution, in taking responsibility for their code, users and companies will be less likely to be involved in a data breach that exposes confidential data. It may take time to see a change in curriculum to include secure software development practices. Depending on the size of the company, their level of concern with security and budget, companies may rectify this by implementing a DevSecOps team, a security champion, or by hiring developers who are more aware of security practices compared to those who aren't familiar with security concepts. The goal of integrating security with web development is to prevent common vulnerabilities in your application, which protects the users, the companies, and lessens the likelihood of having to backpedal in the event of a costly & time expansive security breach.
Interested in learning more? Several resources that you may find beneficial include:
Alice & Bob Learn Application Security by Tanya Janca or the author has a YouTube playlist reading of the book
Learn Enough Frontend Security to Be Dangerous webinar hosted by Mintbean
MicroFocus Lunch & Learn DevSecOps hosted by Black Girls Hack
I will be studying a different web vulnerability each week during my 100 days of hacking and I look forward to sharing in more detail about common vulnerabilities and how we as developers can defend against them. In the meantime, let me know what your thoughts are on web developers learning more about security & any resources you find interesting!