So I've been working as a security analyst and auditor for a while and I encountered a lot of stuff I felt frustrated about. Sometimes I used to think "if just the developer took care in time about this security tip in time..." and then, why not discuss some security tips a developer could take? I'm listing five tips but feel free to add your own!
Tip 1: Pay attention to default admin pages
Countless times I've encountered a page with /myadmin.php and similar admin pages with default values. Using frameworks is a wonderful idea but taking care of these details is important. An attacker could use brute force to bypass the login of admin pages and make an ugly mess.
Tip 2: Please, please so much please strong passwords
I mean, I know remembering strong passwords is such a difficult task but ah! we have KeePass for that. Very please, if you still have doubts just check the huge leaks. This seems unimportant but it isn't.
Tip 3: Avoid the “It’s secure because it’s in a container”
Nope. Security doesn’t work like that. For real. For example, if you guys are using old versions of resources (which I encountered a lot of times ) for example ElasticSearch, you can use curl commands for breaking into apps, or other many things. I understand looking for vulnerabilities is not your work (that’s why you should hire a specialist for this) but you can handle basic vuln assessment on the meantime using CoreOS with Clair as I described here for example.
Tip 4: Filter all the things
Please pay attention to what the users can input in your app. If you are unaware, there’s this attack called Cross Site Scripting (XSS), which could be used as part of many others, and it’s due to a lack of filtering. Don’t let users use script elements, you can save so many problems just like that.
Tip 5: ASK
Okay so I was thinking a lot of tips I had in mind for the last one, such as not letting fashions get over you and use new techs without auditing them propertly just because they sound fancy, or to pay attention in servers hardening. But finally, I thought of the most important and widely forgotten: ASK. It’s completely normal not knowing a thing, and more possibilities when it’s a security doubt, that’s NORMAL because as a developer you may not know some details. That’s okay, that’s why auditing and security analysis are for, but even though the app is going to pass through a security specialist don’t be afraid to ask in the development process, because some details might be structure or concepts security error that could have been easily solved in the early stage proccess and when an analyst take it in the final stage is such a mess. Taking security advice in the early stages is a healthy responsible decision. I sometimes felt like the developers saw me as an enemy to fight against, someone breaking “their child” but I’m just trying to make it work, and it’s easier to do when you let security staff be part of it since the very start.
I hope you guys liked these tips and feel free to add more. Did you saved the day with a security tip in your job? I’d love to hear from you.
Top comments (8)
Great article!
I would add being mindful of the dependencies one chooses to use in their apps. Out of date dependencies are plentiful.
What is your opinion / thoughts on third party authentication, such as login with Google, etc..?
It depends, I think it can be convenient, I'm not a Google fan tho. Not due to security (which I think it's quite strong) but due to privacy and data processing.
Thanks for the article keep writing!
thank you! I'm glad you enjoyed it.
specially
I keep hearing that one with Docker, even though their devs themselves had repeatedly said that containers are not about security, at all, is about ease to deploy and dependency management.
Article's good but loved the Gifs... 🔥🤟
Hahaha thank you
Owasp provides an extensive overview as well as a top ten list:
owasp.org/index.php/Category:OWASP...
Injection is for example the number one vulnerability.