I talk a lot about finding and fixing vulnerabilities on my blog. But what can you do to prevent vulnerabilities way before they happen? Today, let’s talk about the first step you can take towards a more secure application.
A lot of times we think of fixing vulnerabilities as this sort of whack-a-mole operation, where if we find vulnerability, or if someone reports a vulnerability, we’ll fix it.
But a lot of vulnerabilities can actually be systematically prevented by designing and planning your application in a secure way.
The first step in securing an application is therefore identifying the different requirements of your application and make sure that you plan for these features in a secure way. Let’s say that you are building a messaging app, what are your application requirements?
This is a messaging app, so you’ll probably need a way to:
- let users submit private messages,
- store and transport these messages,
- authenticate users and store users’ personal information, like email addresses and friends lists,
- and determine which users are able to access which messages.
Understanding what you need to build your application will inform you what data you are protecting and what kind of security considerations you’ll have while you are writing code.
For instance, in this case, you need to pick a secure way to authenticate users. Are you going to use a simple email and password setup? Are you going to use OAuth? And are you going to implement MFA for extra security? What would be the safest way to implement authentication in your context?
You might also need to store user passwords, and that means selecting a secure hashing algorithm so that you don’t store the passwords in plain text, and deciding on a secure location to store this data. Are you going to implement that yourself? Or outsource it to products that specialize in data storage? What are the pros and cons of these options? What is the safest way to store passwords based on your needs?
The cost of fixing vulnerabilities is way lower if you do it early, because if you can choose the right implementation and dependencies to use at this point, you can prevent a lot of vulnerabilities naturally. Deep rooted security flaws like insecure data storage or bad authentication are very hard to fix once you start developing the application, because if you want to change a highly integrated component, you might need to change a lot of other parts of your code too. So, it’s easier to get security right with planning before you start coding.
Thanks for reading! What is the most challenging part of developing secure software for you? I’d love to know. Feel free to connect on Twitter @vickieli7.