re: What are some fundamentals of security every developer should understand? VIEW POST

VIEW FULL DISCUSSION
 
  1. Trust no one. Especially yourself.
  2. The only perfectly secure system is one that's been disconnected, powered off, encased in concrete, and dropped into the ocean from a helicopter flown blindfolded.
  3. Any functionality you can use is functionality someone else with ulterior motives can use. Data you can access through your system is data someone else can access through your system. Backdoors are an inherent security risk.
  4. Assume user input is malicious until proven otherwise.
  5. If you're good enough to roll your own crypto, you already have a job working specifically on crypto.
  6. If you only need to test whether input matches something you've stored (like passwords), hash, don't encrypt.
  7. Bind prepared statements, don't interpolate parameters into queries.
  8. If you have a publicly-visible API backing your site, remember that your site isn't the only thing that can hit it.
  9. Think about and test edge cases.
 

I'm not sure if the blindfolded helicopter will achieve its purpose. It might just crash pretty quick, make the system fall and release it from concrete. Just sayin'

 

You can take off without the blindfold but you have to put it on once you're over the water.

code of conduct - report abuse