7 Security Tips for Software Developers

7 Security Tips for Software Developers

Andrew Zola
Storyteller
Andrew Zola on Linkedin

If you really think about it, software is now at the core of ensuring the marketing success for most businesses. As a result, this is driving an even greater need for speed during the development cycle.

This pressure to speed up the development process is evidenced in the increased adoption of the DevOps approach with Agile development. But accelerating time to market comes with its own set of problems.

For example, leveraging open source elements is now quite common to speed up the development cycle. However, while deploying third-party components can help accelerate development, it can also unwittingly expose the software to security flaws.

But this doesn’t mean that you should not incorporate open source elements during the development process. However, you should adapt and evolve the build to support more secure software production.

So how do you do this? Let’s take a look the following tips for best practices during a secure software development cycle.

1. Make the developers are responsible for a secure build

For security to work effectively, developers must be put in charge of it. If you look at most businesses, developers responsible for the build will far outnumber the members of security teams.

As a result, it’s not realistic to expect the security team to be responsible for all aspects of security. Making developers responsible for security can also help offset this imbalance and ensure that security is implemented properly and taken seriously.

A great way to approach this is to have the security team involved in the planning and later testing phases. But during the core development phase, the coders will have to be in charge of security scans and resolving issues.

2. Enhance security through user stories

Security teams need to develop real functional stories for security requirements. This means that it needs to be discussed and defined earlier on. It can also be broken down into smaller distinctive tasks to be completed during and after each iteration.

Creating stories around security risks and activities help ensure that security has been adequately planned for. These user stories can be similar to the following scenarios:

  • “What about content requests? Can bad data be sent? If so, will I be able to access the data and functions? Can I access it without any authorization?”
  • “Can I send bad data in URLs? Can I easily access functions and data where authorization is required?

3. Avoid encrypting passwords, instead, hash them

Our developers state from experience that using password management systems is a bad idea. Instead, the representation of user passwords needs to be hashed.

This is because a robust decryption Python script can usually reveal the original password. As a result, never encrypt passwords that are stored as a decryption key or algorithm can pretty much make your efforts completely futile.

On the other hand, a hash doesn’t have a direct reverse unless there is already a table with the mapping from plain text to hash. This means that knowing the hash mechanism won’t betray the data’s integrity, but knowing the encryption keys and schemes will.

4. Authenticate the end-users on every page

Don’t just leave authentication on the login page, instead, do it on every page. For example, when conducting a security review, you might find instances where URLs that are bookmarked can be just copied and pasted onto another browser without ever requiring the user to log back into the system.

These little things can be missed quite easily, but the consequences can be dire. Furthermore, if you’re conducting a bunch of tests, it’s also a good time to check all the routes and doors your code opens. If the software is connected, then there’s a pretty good chance that someone will try to sneak in via the internet.

A classic example of this is buffer overflows left behind by C coders who choose to accept any string of characters until it hits zero. What’s more, SQL injections can also open doors by adding a few extra characters to an SQL query to expand the scope of a simple search.

5. Avoid putting secret backdoors in the software

When you set up secret backdoors in the software, you’re basically creating opportunities for hackers to access and control it. While you may not think that someone else will be digging around the code, the chances of them doing so are pretty significant.

6. Develop a culture of security

It’s a great idea to develop a culture of security not just within the software development team, but throughout the entire organization. At the same time, it’s also important to encourage a security culture that evolves over time with new technology (and when new processes are developed to fit the needs of the organization).

To achieve this, security needs to become a habit, not an afterthought. As a result, it will be critical to embed it in every aspect of the organization right from the beginning.

7. If you leave it to chance, you will leave yourself wide open

Even the best software engineer out there can make a mistake or two. In some cases, they might think that someone would never try to dig deeper and penetrate the system.

But the reality is that people will always try to breach the system. Furthermore, with the rapid evolution of artificial intelligence (AI), you can expect robots to do the same.

So it’s now more important than ever before to try and think of everything and not leave anything to chance. Additionally, this should be something that you come back to iteration after iteration.

No matter how good you are at software development, there will always be some kind of vulnerability that has to be addressed. As a result, security needs to be something at the forefront of the mind of developers and all stakeholders during the development cycle and long after the product is live.

What is your experience with building software that is highly secure? What best practices did you follow? Can you add any to this list?

Share your thoughts and experience in the Comment section below.