This article supplements an episode of the This Dot Labs Podcast on Security with Rob Ocel, Tracy Lee, Frederik Prijck, Jarrod Overson, Director at Shape Security, and James Spivey, Director of Engineering at Shutterstock.
Frontend web developers often approach the topic of security with apprehension. Some may question whether security is really their responsibility, and think of the technical concepts applicable to securing their platforms, and data, as mostly relevant to their teammates working on the backend.
This is understandable since nobody wants to feel at fault for allowing their projects to be susceptible to potential security risks, but it is important that every individual on a team understand what risks are out there, and how to proactively ensure that their technologies are best equipped to prevent, and respond to, security issues.
Security should be one of the foremost concepts to consider when building any web application. But as Shape Security Director, James Overson, notes, implementing security measures is often informed by a cost-benefit analysis. To patch every conceivable security threat is nearly impossible, and would certainly cost a company a lot of money, however, companies often defer important security decisions for the sake of time and budget. This leaves them at risk for having to react to breaches that could cost the company much more than a proactive solution in production may have.
The costs that companies incur due to security breaches can be numerous. Shutterstock Director James Spivey points out the overwhelming, and unpredictable costs that companies can incur due to faltering security that include public relations costs, credit monitoring, and the use of emergency services from third party consultants.
Naturally, there is an incalculable number of potential security threats that developers may face when working on a product. Malicious code is one of the major issues that front end developers might encounter. Of course many frameworks, as This Dot Labs Senior Developer Frederik Prijck shares, have security protections built in, but developers should still remain vigilant about reviewing code, library, and package documentation to ensure, to the best of their ability, that they are not working with any malicious elements. These threats can even exist in major open source projects, so ensuring that no open source technology, such as a build system, is automatically pulling the latest library without proper manual review is essential, albeit tedious.
Accepting any external code is a significant security threat. Often companies trust that their developers are savvy enough not to incorporate any risky materials into their projects, but managers and other leaders need to ensure that their developers fully understand the code and technologies with which they’re working. Implementing best practices, such as regular security audits, and proper documentation is a great first step.
Companies may also want to look toward security experts to help them secure more sensitive information, especially if their web applications store information related to passwords or user identities. As the sensitivity of the information increases, so does the complexity of the codebase storing such information, the cost of application maintenance, and the financial risk that may accompany a significant security breach. Taking advantage of SaaS products provided from security giants like Google or AuthO might be the best course of action for some companies.
But what can an individual developer do to contribute to the security of their teams’ projects? Developers of all levels can better understand what threats they are targeting by reviewing free sources such as those provided by Open Web Application Security Project (OWASP), to, among other things, identify different types of security threats. Doing so can help developers better research fixes by giving them the proper terminology with which to work.
Self education, however, is not the only thing that developers can do to best equip themselves to contribute to the strength of their team’s security practices. This Dot Labs Senior Developer, Rob Ocel remembers a graduate seminar he took on security in which the professor told the class that he could not possibly teach them about all of the security risks that exist out there, but that he could help them know how to ask the right questions about security. Understanding what sorts of risks exist, where your projects may be vulnerable, and learning from others’ experiences and expertise is a great place to start for any developer.
As members of a developer team, everybody should think of security as the whole team’s responsibility, not just the responsibility of those working with API’s, etc. By thinking proactively about security risks, understanding the specifics of the technologies with which you are working, being willing to continually educate yourself about the threats being experienced across the industry, and being able to ask helpful questions about the security of your teams’ products, you can do your part to protect the projects and technologies with which you are working.
Need JavaScript consulting, mentoring, or training help? Check out our list of services at This Dot Labs.
This Dot Inc. is a consulting company which contains two branches : the media stream and labs stream. This Dot Media is the portion responsible for keeping developers up to date with advancements in the web platform. In order to inform authors of new releases or changes made to frameworks/libraries, events are hosted, and videos, articles, & podcasts are published. Meanwhile, This Dot Labs provides teams with web platform expertise using methods such as mentoring and training.
Top comments (0)