Be uncommon stop making such common mistakes
Software development has evolved through a series of small and big changes over the last decade, and for that reason, many of the practices and myths held true in the past are simply no longer accurate. To that end, I grouped four areas that Modern Software Developers should consider helping them improve the security of their software and their respective companies. These are common mistakes made by common Software Developers. Consequently, be uncommon and stop making such common mistakes.
Area 1 :
Software Development Security Governance (SDSG) 1
- It is a good practice to have a formal development process that integrates secure coding practices throughout the process of developing software.
- It is sometimes difficult for small firms to implement the recommended fragmentation practice, but dividing or fragmenting the development, test, and production environment is an important practice to insure the cyber-resilience of the code.
- Protect the software by keeping source code and configuration in a limited access repository that integrates version control. GitHub is a good example of such a tool.
- Produce well-secured software by reviewing your code against known issues such as the OWASP Top10 and the 2022 Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses.
- Get support from automated tools to review or assess your code and to test it. Some of those automated tools are free or come with a free version. OWASP provides a list of Source Code Analysis Tools to help find security flaws.
Area 2 :
Application Security (AppSec)2
- Pair programming is not enough. Odds are neither you nor your colleagues were formally instructed in secure development best practices in your formal education. Now’s the time.
- Shift left. Make good design decisions – like “don’t roll your own crypto” and “consider getting out of credential management.” Embed security testing (SAST/DAST) into your CI/CD pipelines. Obstruction block builds on severe vulns.
- Security frameworks and languages matter. I’m sorry if it hurts you to hear it – PHP code is simply less secure than Ruby in most applications. C++ is less secure than Rust. Leveraging a modern security framework gains you significant advantage by leaving the poor design assumptions of earlier languages and security frameworks behind.
- Stop sharing your secrets. It is too many to count the number of times companies have been attacked because some Software Developers figured their GitHub repository would forever remain private, and then they found themselves entangled within a trap when somebody flipped a toggle for five minutes. To prevent such cyber-attacks from happening, use Trufflehog and other tools to figure out if Software Developers in your organization are making such a mistake.
Area 3 :
Operational Security (OPSEC)3
- No, you are not too smart to be phished or to fall victim to malware. Yes, anti-virus software will slow down your machine. Suck it up. Cyber-attackers know that Software Developers have this bias and if they can’t get into your code, they will get into you, and then your code as a result.
- Use Multifactor Authentication (MFA) aggressively. Do not trust your home network, or for that matter, your work network. Make it a good habit to only use encrypted channels to access your IT infrastructure.
- Okay, you copied accordingly all your code locally so that you could compile data faster and work off-line. But do you really need to copy the database with all that sensitive data onto your unencrypted laptop? I don’t think so. Encryption is your friend. If it is slowing down your laptop in a noticeable way, get a new laptop. Seriously. Modern laptops have dedicated chips that lower performance impact to less than 3%.
- Lock all your stuff, your phone, your laptop when you’re away from your devices. If your “friend” at the bar is playing with your phone, he also has access to your MFA tokens. Therefore, stop jeopardizing yourself!
Area 4 :
Infrastructure Security (InfraSec)4
- Did you realize you are a sysadmin? Because if you’re in DevOps5, you are indeed a sysadmin. And this means you need to patch your stuff. Lock down unnecessary services. Lambda functions and microservices architecture make this easier.
I don’t care that S3 bucket is for a test project involving non-sensitive data. Don’t open up the permission to make your life easier. Because the next Software - Developer will take that same bloody S3 bucket, attach more data and a critical system to it, and before you know it, you’re leaking the healthcare records of a million users.
- The more systems you have, the more you have to maintain them. While it may feel cool to have dozens of extra boxes on your diagrams, you need to take time to clean out the cruft, i.e., the badly designed, unnecessarily complicated, or unwanted code or software. Old forgotten systems can clog up your cloud just as easily as your server closet, and the bills from the cloud provider will creep up.
- Hey, multi-cloud sounds really cool. I hope you’ve got a massive training and staffing budget to go with that! Because maintaining the skill set across multiple clouds is expensive. Oh, and similarly, if you’ve got one foot in on prem and the other in the cloud, eventually the boats will pull apart and you’ll find yourself in the water.
Conclusion
Hopefully, you don’t recognize yourself in too much of the above. If you find yourself checking off a lot of this list, you are making a lot of common mistakes. Better to find a way to up your skills, check your assumptions and become an uncommonly secure programmer.
Happy Holidays!
References
[1] “Throughout every stage of Software Development Life Cycle (SDLC), Software Development Security Governance (SDSG) is one of the key mechanisms that organizations use to ensure that a software development project aligns with business goals and complies with external regulations. SDSG offers a formal framework for achieving measurable progress toward strategic objectives, maintaining compliance standards, protecting data security, supporting data retention, and disaster recovery.” https://www.3pillarglobal.com/insights/importance-of-good-governance-processes-in-software-development/
[2] “Application Security (abbreviated AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.” Happe, Andreas (3rd June 2021): “What is AppSec anyways?”
[3] “Operational Security (OPSEC) is a security and risk management process that prevents sensitive information from getting into the wrong hands. Another OPSEC meaning is a process that identifies seemingly innocuous actions that could inadvertently reveal critical or sensitive data to a cyber-criminal. OPSEC is both a process and a strategy, and it encourages IT and security managers to view their operations and systems from the perspective of a potential cyber-attacker. It includes analytical activities and processes like behavior monitoring, social media monitoring, and cybersecurity best practices.” https://www.fortinet.com/resources/cyberglossary/operational-security
[4] « La Sécurité de l’infrastructure informatique (InfraSec) est un cadre qui combine des politiques, des meilleures pratiques et des technologies pour garantir que les ressources infonuagiques – y compris les environnements informatiques dans le nuage informatique, les applications et les bases de données – restent sécurisées contre les menaces de cybersécurité infonuagiques internes et externes. » https://www.twingate.com/blog/what-is-cloud-infrastructure-security/
[5] « Résultant de l’assemblage entre le développement (Dev) et les opérations (Ops), DevOps est l’union des personnes, des processus et de la technologie pour fournir en permanence de la valeur aux clients. Que signifie DevOps pour les équipes de développeurs des logiciels? DevOps permet aux rôles antérieurement cloisonnés – développement, opérations informatiques, ingénierie de la qualité, et sécurité – de se coordonner et de collaborer pour fabriquer des produits meilleurs et plus fiables. Le choix d’une culture DevOps ainsi que des pratiques et des outils DevOps permettent aux équipes de mieux répondre aux besoins des clients, d’accroître la confiance dans les applications qu’elles sont en train de concevoir, et d’atteindre plus rapidement les objectifs commerciaux. »
https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-devops/