So I've been working as a security analyst and auditor for a while and I encountered a lot of stuff I felt frustrated about. Sometimes I used to think "if just the developer took care in time about this security tip in time..." and then, why not discuss some security tips a developer could take? I'm listing five tips but feel free to add your own!
Countless times I've encountered a page with
/myadmin.php and similar admin pages with default values. Using frameworks is a wonderful idea but taking care of these details is important. An attacker could use brute force to bypass the login of admin pages and make an ugly mess.
I mean, I know remembering strong passwords is such a difficult task but ah! we have KeePass for that. Very please, if you still have doubts just check the huge leaks. This seems unimportant but it isn't.
Nope. Security doesn’t work like that. For real. For example, if you guys are using old versions of resources (which I encountered a lot of times ) for example ElasticSearch, you can use curl commands for breaking into apps, or other many things. I understand looking for vulnerabilities is not your work (that’s why you should hire a specialist for this) but you can handle basic vuln assessment on the meantime using CoreOS with Clair as I described here for example.
Please pay attention to what the users can input in your app. If you are unaware, there’s this attack called Cross Site Scripting (XSS), which could be used as part of many others, and it’s due to a lack of filtering. Don’t let users use script elements, you can save so many problems just like that.
Okay so I was thinking a lot of tips I had in mind for the last one, such as not letting fashions get over you and use new techs without auditing them propertly just because they sound fancy, or to pay attention in servers hardening. But finally, I thought of the most important and widely forgotten: ASK. It’s completely normal not knowing a thing, and more possibilities when it’s a security doubt, that’s NORMAL because as a developer you may not know some details. That’s okay, that’s why auditing and security analysis are for, but even though the app is going to pass through a security specialist don’t be afraid to ask in the development process, because some details might be structure or concepts security error that could have been easily solved in the early stage proccess and when an analyst take it in the final stage is such a mess. Taking security advice in the early stages is a healthy responsible decision. I sometimes felt like the developers saw me as an enemy to fight against, someone breaking “their child” but I’m just trying to make it work, and it’s easier to do when you let security staff be part of it since the very start.
I hope you guys liked these tips and feel free to add more. Did you saved the day with a security tip in your job? I’d love to hear from you.