Advocating for information security as a software engineer

January 24, 2018 | by Arturo Rodríguez

In App development, Security, developers

Nowadays, news about events related to breaches in information security are becoming more common. We hear about data leaks, hackings, denials of service, and more.

All of these scurity issues have been increasing over the years due to the increment in technology usage for daily activities. We, as developers, have the responsibility of building quality software that must be secure. But how can we achieve that? Here are some recommendations

OWASP to the rescue!

The first step is to learn about the different dangers that threaten the software applications we develop. For that, we can count on OWASP (Open Web Application Security Project). OWASP is a non-profit organization whose main objective is to improve software security and is addressed to government agencies, organizations and individuals. It provides practical information and documentation that can be used for decision making on certain aspects of software development, especially those related to information security.

In the OWASP’s website, which you can find by clicking here, we can find the best practices to create secure software applications and a lot of documents and guidelines related to topics such as: secure architecture, authentication and 

authorization, session management, access control, cryptography, and also secure mobile and Internet of Things applications.

Even though OWASP is not an established standard and we’re not enforced to follow it, it is worth having it in mind when we’re doing development, because this will help us be prepared and face the cybernetic attacks that happen daily when our software reaches the production stage.

Information security and the role of a developer

Code reviews

There is no doubt that periodic code reviews among team members help to improve software quality in every aspect, because it is a fact that many minds work better than one. This simplifies the detection of code snippets that are vulnerable to attacks, such as SQL injection and/or stack overflows, preventing the team from introducing such hazardous defects to the code base.

The importance of QA and Penetration Testing

In a software development process it is necessary to test every component that is released. Making sure that your software is secure is as crucial as verifying the application’s functionality. This is where penetration testing (or pentest for short) comes in. This kind of automated tests execute controlled attacks to a system and attempt to find vulnerabilities in the software, enabling us to respond before a real attack occurs.

Depending on the organization, the pentesters may be provided or not with information to execute the test. This help us to be prepared for internal and external attacks. Fortunately, OWASP recommends many testing tools which are listed right here.

Usage logs

Finally, it is highly recommended that the software we’re developing implements a log system in order to monitor the application’s behavior. While it’s not necessary to save all software activity, we should implement them on critical steps of the application. This makes easier to track down odd application behavior and might give us a better idea about what went wrong with our software, helping us to reduce the time that it takes to detect and respond to an attack, which minimizes the damage that it may cause.

Sources

Open Web Application Security Project
BCS
OWASP Code Review
Loggly
Sans.org