Until last year I had this idea that security is not a priority when developing software (website and apps included). I mean, I’m just a small developer and probably not a lot of people will ever use what I’m creating, so why bother with security?
After reading about the subject I could understand all the risks I was taking. My goal with this post is to show some facts and motivate you to change your mentality towards security.
Note: I’m using the name hacker loosely on this post. Every time you read hacker, I really meant black hat hacker.
You are a worthwhile target
Much of this disregard with security comes from the assumption that your software or website is so unpopular that hackers will never bother trying to find a vulnerability. Nothing could be further from the truth.
You are running a web server
Your service can be worthless, but your server is not. A hacker could get access to your server for many purposes: Distributing malware, spamming, or even to join a botnet.
You are an easy target
If you are not concerned about security, an attacker don’t need to work hard to find a vulnerability. A hacker could go through a checklist of common vulnerabilities and maybe manage to gain access to your server in a matter of minutes.
Even though your service is not important, your resources are. Always think about the possible motivations for someone to hack you.
Never try to reinvent the wheel
Seriously, don’t! Experts have a hard time figuring out algorithms that you can use and safe ways of implementing it. What makes you think that you can develop something better?
You may think that as soon as the hacker doesn’t understand the implementation, you are safe. This is called “security by obscurity” and it doesn’t work. Your software should be secure even if the attacker know every detail about it. This means, your software should be secure even against you.
Let the security experts develop new ways of securing your software and only use algorithms approved by them and in a way approved by them.
Most of the times vulnerabilities are in the implementation
It’s not only about using certified algorithms. You need to use them in a certified way. Most of the times, algorithms work perfectly, but the way they are implemented, creates a vulnerability.
Recently, we all heard about the Heartbleed bug. Bottom line: There is nothing wrong with the TLS Protocol. This bug was caused by an error of implementation. A developer forgot to verify an user input, and the attacker could exploit this and steal data by overflowing a variable.
Always treat user input as unsafe and do all kind of verification. Take special care when dealing with cryptography and confidential data.
Security should be simple
Complex coding leads to implementation errors. Implementation errors lead to vulnerabilities. Security should be clean and clear.
When implementing a security feature, only add what is necessary and nothing else. When reading your code, you should be able to easily understand every bit of it.
Security is something that every developer should care. It doesn’t matter if your software is never going to be mainstream. Always take precautions.
To understand what should and should not be done, invest a little bit of your time studying security. If you have doubts about some implementation, there are tons of materials in the internet. After a while, you will develop a “sense of danger”. You will understand when you are writing a code that could open vulnerabilities and will then proceed with caution.
In the end you will see that if you follow good development practices, you can greatly reduce the chances of being hacked.