Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What should every programmer know about security? [closed]

Tags:

security

People also ask

Why developers should care about security?

The goal of integrating security with web development is to prevent common vulnerabilities in your application, which protects the users, the companies, and lessens the likelihood of having to backpedal in the event of a costly & time expansive security breach.

Do software engineers need to know security?

There are many hard and soft skills that security software engineers need, including: In-depth knowledge of security software, hardware and solutions. Understanding of source code programming languages. Experience with multiple computer operation systems.

Why is security important in programming?

The adoption of secure coding practices is important because it removes commonly exploited software vulnerabilities and prevents cyberattacks from happening. Moreover, optimizing for security from the start helps reduce long-term costs which may arise if an exploit results in the leak of sensitive information of users.

Principles to keep in mind if you want your applications to be secure:

  • Never trust any input!
  • Validate input from all untrusted sources - use whitelists not blacklists
  • Plan for security from the start - it's not something you can bolt on at the end
  • Keep it simple - complexity increases the likelihood of security holes
  • Keep your attack surface to a minimum
  • Make sure you fail securely
  • Use defence in depth
  • Adhere to the principle of least privilege
  • Use threat modelling
  • Compartmentalize - so your system is not all or nothing
  • Hiding secrets is hard - and secrets hidden in code won't stay secret for long
  • Don't write your own crypto
  • Using crypto doesn't mean you're secure (attackers will look for a weaker link)
  • Be aware of buffer overflows and how to protect against them

There are some excellent books and articles online about making your applications secure:

  • Writing Secure Code 2nd Edition - I think every programmer should read this
  • Building Secure Software: How to Avoid Security Problems the Right Way
  • Secure Programming Cookbook
  • Exploiting Software
  • Security Engineering - an excellent read
  • Secure Programming for Linux and Unix HOWTO

Train your developers on application security best pratices

Codebashing (paid)

Security Innovation(paid)

Security Compass (paid)

OWASP WebGoat (free)


Rule #1 of security for programmers: Don't roll your own

Unless you are yourself a security expert and/or cryptographer, always use a well-designed, well-tested, and mature security platform, framework, or library to do the work for you. These things have spent years being thought out, patched, updated, and examined by experts and hackers alike. You want to gain those advantages, not dismiss them by trying to reinvent the wheel.

Now, that's not to say you don't need to learn anything about security. You certainly need to know enough to understand what you're doing and make sure you're using the tools correctly. However, if you ever find yourself about to start writing your own cryptography algorithm, authentication system, input sanitizer, etc, stop, take a step back, and remember rule #1.


Every programmer should know how to write exploit code.

Without knowing how systems are exploited you are accidentally stopping vulnerabilities. Knowing how to patch code is absolutely meaningless unless you know how to test your patches. Security isn't just a bunch of thought experiments, you must be scientific and test your experiments.


Security is a process, not a product.

Many seem to forget about this obvious matter of fact.

Related questions

"Keep Me Logged In" - the best approach
How does Content Security Policy (CSP) work?
What are all the user accounts for IIS/ASP.NET and how do they differ?
Is "double hashing" a password less secure than just hashing it once?
How to redirect all HTTP requests to HTTPS
Practical non-image based CAPTCHA approaches?
JWT authentication for ASP.NET Web API
SPA best practices for authentication and session management
Why is it common to put CSRF prevention tokens in cookies?
PreparedStatement IN clause alternatives?
How are software license keys generated?
Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox?
Why would one omit the close tag?
Why is JsonRequestBehavior needed?
The difference between the 'Local System' account and the 'Network Service' account?
Worst security hole you've seen? [closed]
Are querystring parameters secure in HTTPS (HTTP + SSL)? [duplicate]
How to secure database passwords in PHP?
Are HTTP cookies port specific?
Using openssl to get the certificate from a server

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!