It’s generally considered that all applications should be built from the ground up with security in mind. However, there are often other factors such as usability that take priority due to a difference in opinion of what should come first. The problem here is that whilst usability is highly important, so is security. Not only can vulnerable applications lead to data loss, but they can also lead to significant reputational damage. After all, who wants to use an app knowing that they are compromising their security and privacy to do so. So, what are we doing to ensure that application security is more of a priority?
Why Do Insecure Applications Still Exist?
There are many ways to answer this question. When talking to a security professional, some of their answers boil down to blaming a lazy development team, uneducated management, vulnerable third-party plugins or a lack of time. Realistically, security is a group effort. To create a secure application, it must be a priority for all members of a software development team. Software is constantly evolving – as new technology is introduced and old vulnerabilities are patched, new exploits and weaknesses will arrive to take their place.
A reason that so many applications remain insecure is that of a lack of education. The developers of these applications are not always knowledgeable enough to create secure products, as new hostilities constantly evolve that can compromise our software. A solution to this problem is to change the way we think about security overall. Whether this is a shift in how development is taught or another idealistic solution, we must aim to write secure code.
Secure By Design
The idea of ensuring an application is secure by design means putting security first during your design process and initial planning stages. Under the premise that, when it comes to development you should encounter minimal issues. Although, this is never really the case. The development stage will always break away from the original design as new issues and requirements arise.
What Role Do We Play At Dreamr?
At Dreamr we try our best to identify vulnerable code during our development process. The way in which we do this is through multiple stages. Such as quality assurance reviewing, testing and following the best secure coding practices that we can. These consist of obfuscating data, using secure mechanisms for authenticating users such as 0auth and securely storing passwords and other sensitive information. An important standard which is now becoming a requirement is the use of SSL/HTTPS in your website. This essentially encrypts the data in transit between your website and users to prevent data being intercepted.
Some of the more complicated security mechanisms we use consist of CSRF tokens, using environment variables to keep sensitive data (such as database/AWS credentials) stored locally and compartmentalising where we store technologies when a product is in production. Furthermore, we use middleware throughout our projects to confirm that only authenticated users can access specific information. Therefore, if a user who is not logged in tried to access a restricted URL, they would be redirected to a login/sign up page.
The reason we take security so seriously during development is because we do not want ourselves or our clients to suffer reputational or financial damage because of one small mistake. The second reason is because it is our responsibility to do so.
A Shift In Mindset
The way we approach security needs to change. This applies to both the user and developer side of things. Usability will often take priority over security for most people. However, the security of your data is just as important as user experience. The security of your data is also incredibly valuable as if it becomes compromised, that can be a huge problem.
The mindset of being able to think like an attacker is a key skill in being able to develop secure apps. When dealing with sensitive information it is important that it should only be shared on a need to know basis. Frameworks such as Laravel have built-in security features, but they can never prevent an error on the developer’s side. Therefore, security is a mindset.
Developing successful software over the past few years requires a shift in the mindset of developers overall. Rather than undertaking the more traditional attitude that software is there to solve problems and people will use it to do good, developers need to shift their viewpoint to understand that once their software is deployed, it will be attacked almost instantly. Applications must now be built so that they can defend themselves against hostilities. I think it’s important that developers now not only think of security as an afterthought but as a crucial part of the development process.