Writing Secure Code

Meeting the highest security standards is a priority

Preamble

The information data we handle is secured if the following aspects are respected:

  • Confidentiality: the data we store should only be accessible by the people allowed to do so, nobody else

  • Integrity: the data we store should never be altered in any unwanted way

  • Availability: the data should be available when users need it, whatever the day or time, whatever the conditions.

These 3 aspects are often defined as the CIA triad.

Doing so requires a strong discipline.

The Human Factor

Code is not made by robots. And, humans make mistakes. This applies in all the domains. At Prospect.io, we recognize and accept that fact, but, we aim for quality. So, we expect all developers to:

  • Be conscientious: you should recognize whenever you are dealing with important information, that this information is important. So, every piece of code that you write or system that you build should always be checked from an eye of security expert. Whatever the deadline, business objective, scope of the project, etc., security should always be an important concern. This includes thinking about security at every moment of the development process: during the initial architecture thinking, while coding and reviewing code, and even afterwards.

  • Be transparent: did you spot something strange? Do you think we can do best? Feedback is always welcome. Never be afraid to say something when it is about information security. Did you make a mistake? Tell it, we will see what we can do. We will never blame anyone for assuming their mistakes. Hiding information, however, will be blamed.

  • Do your best: Nobody is perfect, but, we should aim for it. So, don't hesitate to read, ask, discuss. Learn about security. That is a big and complex topic, but it is also very interesting. There are a lot of good places to learn it. Knowing too much is never a waste of time.

Coding Practices

Now that you see how to approach security as an attitude, you may wonder how do this apply the moment you start writing some real code.

Know common security issues

Just google it: “owasp top 10 2019”; you will find what are the most common problems that you can have in your application. And, try to avoid it when writing code.

Top concerns often include elements such as: SQL injection, broken access control, XSS, and a lot of other elements. Learn about them. Discover what could lead them to appear and avoid it.

Feel when it is touchy

Some elements need more care than others, so think twice when:

  • you are about writing your own security code / cryptography / authentication system (hint: that's often a bad idea)

  • you are touching critical customer data (such as logins, authentication token, etc.), be sure not to expose them everywhere

  • you want to add a new external component (such as a library, etc.)

And, if you doubt, do not hesitate to ask one of your more experienced colleague, it is always welcome.

Keep your secrets

Web applications are often made of very important secrets, such as API tokens, passwords, etc. They could be one very big concern when leaked to an unauthorized third party.

So, always store your tokens, and secrets in a designated place such as:

  • a secured storage system (such as an ICE system)

  • a password vault (such as 1password)

Especially, avoid communicating them over plain text places such as:

  • pasting systems

  • internal communication : emails, chats

  • papers, whiteboards

Be up to date

When using code from others, you're also inheriting their security and design weaknesses. Think about that.

Be sure you don't use code that contains known security issues, and if possible, put automated systems in place to review the dependencies that you use in your code.

Try to patch vulnerable external packages as soon as it is detected. Never keep components not updated for a while, you'll be sure someday they will have security flaws.

Review code carefully

Always review code from a security point of view. And, when you're writing touchy code, don't hesitate to mention it in the review. Having two pairs of eyes looking on your code is always better than one.

Think about what is around

Finally, don't limit security as avoiding things such as SQL injection in your main application. Also think about all the things that are around:

  • Think about that small app that you made just from one ephemeral need, is it secure?

  • Think about your coding environment. Is your computer secure?

Security flaws could come from unexpected places that you won't think at first.

Read that article: https://www.wired.com/story/despacito-hack-vevo-youtube/.

Think about what would happen if one can guess your Github account password because:

  • you don't have two factor authentication turned on

  • you're reusing your personal password

  • that personal password already leaked on the web (check it here).

You don't have to expose a very complex technical issue to be hacked. Make your best to avoid that.