Do you think about security and wonder how you would even start to protect your projects?
Good security practice isn't really taught in any meaningful way when you first start out on the path to become a developer. "Because it's more secure" with no reasoning given is not educational and likely harmful, remember to always ask why because chances are this person's advice came from word of mouth.
I know I am guilty of several past transgressions but I don't want you to make the same mistakes or never feel compelled to ask why.
Where do I learn about Security?
In a digestible way you can learn about threats on the OWasp top 10. OWasp is a fantastic organization which keeps track of many trending ways of attacking a website, among other things they have the very current list of top 10 issues. You can also take training in the OWasp top ten from many training platforms.
Then it's my problem?
Yes, security is very much your problem to worry about because you need to learn to spot shoddy code which opens doors for attackers, the kind of doors which might as well have a sign saying hack me. But beyond this, you can enlist the help of applications to assist you in dealing with credentials, users, login, permissions and more, gone are the days of writing a login system and storing your email, username and passwords yourself.
Identity providers in a nutshell and in various forms, allow you to run an Access Management application, this kind of application runs alongside your main application, it could typically have its own database additionally you could manage how users register, login, and what access they have to view areas of an application or API.
Your application now has a login form provided by the Access Manager instead of you rolling your own, typically these are skinnable or you could just roll your own and call the api to authenticate and much more.
I work at ForgeRock, very proud of that, but I don't talk about it because I don't like to bring my work into my blog, I have no affiliated or official motives other than to say we are great and you should check us out if your looking for an enterprise solution.
But I'm not an enterprise?!
I have been grapling with the same conundrum for some time, I make a lot a lot a lot of stuff in my spare time, all of which tends to make me ask myself,
how can I even release this?!
I have a huge ethical responsibility to protect you, I don't have an Access Manager or the budget for such a tool.. Disclaimer: from here is my personal advice to you, not affiliated with any third party, you can't trust my advice blindly or anyone elses, take it with a pinch of salt, do the research to validate my claims
well good news, there are some basic open source options, and maybe they are good for large open source projects... But the best and simplistic way to solve this, use an OAuth2 provider or asking yourself, do I need user logins at all? If the former, then picking a provider you can trust.
When should I worry?
Always but especially if you take any personal information of any kind, emails, names anything like that is personal information which you must gaurd.
Cool 😎 any questions, I'm just a UI engineer but I could try to help just leave a comment and stay safe.
Top comments (1)
I've worked at so many places where as I settled in all I could thing was "lawl we bankrupt if this server gets pwn3d". Working at smaller shops taught me more about networking and security than most people I know, almost enough to make up for the lack of strong senior developers and mentors to guide me in my abilities.
My rule of thumb for UI security is to whitelist acceptable inputs instead of trying to figure out all the possible input values that need to be rejected. Proper HTTP headers can go a long way, and brownie points if you can set up a virtual firewall appliance or clearly explain VLANs. Server hardening was probably the hardest thing to master since I am not much of a sysadmin, but nowadays I try to automate as much of the hardening during image creation vs learning a crash course in Linux administration that will be a hazy recollection when we need another server.
Security is also one of the best ways I have found to make a strong first impression at a new job. Being able to humbly identify a security concern, reason with your coworkers about the code in question, and proposing a fix can really set you apart, but it requires a lot of background knowledge too.