DEV Community: Marko Meic

Detailed Internet Security Analysis: Common Vulnerabilities and Best Practices

Marko Meic — Tue, 11 Jun 2024 08:42:39 +0000

Security is a major threat to companies striving to deliver software quickly. Alongside existing vulnerabilities in application code and security breaches, companies and developers must also be aware of the potential security vulnerabilities that super-powerful quantum computers pose to currently used cryptographies.

To raise awareness of security risks, it is crucial to be informed about new threats to IT security.

The problems vary: encrypted data can be stolen, stored for potential decryption by quantum computers in the future, and so on. To ensure the protection of sensitive data, developers must prioritize the implementation of modern secure programming practices and strong encryption and authentication into applications.

Be aware of the data leakage

Perhaps we can live with the fact that our data is used without our consent, but none of us likes it when this data ‘leaks’ into the public domain on the internet without our consent or knowledge.

Although many companies maintain high-security standards and invest large amounts of money in protecting their users' data, data leakage is still a common problem. As internet users, we all have private data stored on various websites and applications. Therefore, it is important to be aware of the dangers of data leakage and always check the security of the websites and applications we use.

OWASP Top 10 most critical vulnerabilities

To protect themselves from attacks, companies should follow recommendations and best practices in web security.

The Open Worldwide Application Security Project (OWASP) is a nonprofit organization dedicated to improving software security. Among many projects, OWASP also works on documents like the “OWASP Top 10 Most Critical Vulnerabilities,” which consist of a broad consensus on the biggest security risks for web applications.

The goal of this document is to raise awareness among developers and other IT industry professionals about the greatest security risks and educate them on how to prevent these risks. In this blog, we will highlight the five most critical vulnerabilities from the mentioned top 10:

1. A01:2021 - Broken access control

94% of applications were tested for some form of improper access control, showing that 34 common weaknesses of improper access control appeared more frequently in applications than any other category.

2. A02:2021 - Cryptographic failures

previously known as sensitive data exposure, which was a general symptom, not a primary cause. The renewed focus here is on flaws related to cryptography that often lead to the exposure of sensitive data or compromise the security of systems.

3. A03:2021 - Injection

94% of applications were tested for some form of injection, and the 33 CWEs categorized here rank second in the frequency of occurrence in applications. Cross-site scripting is now also included in this category.

4. A04:2021 - Insecure design

a new category focusing on risks associated with design flaws. If, as an industry, we truly want to make a shift towards security, this requires greater use of threat modeling, secure design patterns, principles, and reference architectures.

5. A05:2021 - Security misconfiguration

90% of applications were tested for some form of incorrect security configuration. With the increase in transition to highly configurable software, it is not surprising to see this category progressing. The former category for XML External Entities (XXE) is now part of this category.

Broken access control

Access control implements measures that prevent users from acting beyond granted permissions. Deficiencies usually lead to unauthorized disclosure, alteration, or destruction of data or performing some business function outside of user limitations.

Common vulnerabilities in access control include:
Unauthorized access to specific features or users
Circumventing access control checks by changing URLs
Allowing the viewing or editing of someone else’s account by exposing a unique reference to objects
API security with missing access controls
Incorrect CORS configuration that allows access to the API from unauthorized or untrusted sources (i.e., lack of whitelisting)

Implementing security tests into unit tests is a long-term investment that involves greater investment in developers' awareness of security. In addition to helping developers better understand how to test for security issues, this can greatly improve the overall quality of software and reduce the number of vulnerabilities in web applications.

Cryptographic weaknesses

Do we ensure security using protected HTTPS protocols when transferring information? Websites secured with HTTPS connections provide visitors with enhanced reliability through data encryption, which makes it more difficult to track users and their data.

In addition to tracking users, the content received is also secured because it involves a secure communication channel where interception and modification of the received content are prevented. Some internet browsers, such as Google Chrome, penalize and specifically mark websites that are unprotected by SSL/TLS certificates (used for HTTPS protocols).

We secure files when transferring them between users using the FTPS protocol. Originally, the FTP protocol allowed users to transfer files without any encryption or protective measures. FTPS is an upgraded FTP with an added security level of Secure Socket Layer (SSL).

Similarly, as with HTTPS protocols, a secure communication channel is established through which all information passes between the user and the website. All data are encrypted, and only an SSL-protected server can decrypt these data using a shared SSL key.

SQL injection

A security problem that has existed for over 20 years. Why is it still present in 2024?

SQL injection attacks occur when attackers send invalid data to an application, which is mistakenly executed as SQL commands. This can manipulate the database data without proper authorization. Attackers insert SQL commands where they are not expected, for example, in the password input field during application login.

What are some methods to protect against SQL injection attacks?

1. Data sanitization of user input

The application should ensure the elimination of all characters from user input that could be executed as SQL code, such as parentheses and colons.

2. Input validation

The application should ensure input validation and limit the number and type of characters that can be entered.

3. Use of a secure API interface

The recommended option is to use a secure API interface that completely avoids using an interpreter, provides a parameterized interface, or uses tools for object-relational mapping (ORM).

The reasons behind security issues in 2024

So, going back to the previous question, do these security issues still exist in 2024?

Lack of specific security awareness among developers

There's often a shortfall in security-specific awareness and training among those who develop applications.

Lack of automated effective testing methods

There is a lack of automated testing methods that enable precise detection of injections (e.g., tests without false positive results).

Use of database access libraries

These libraries are supposed to provide a secure way to access databases but can often still be exploited, giving developers a false sense of security.

Volume of SQL databases

Finally, almost every web application uses some form of database, and the sheer volume of SQL databases on the internet provides a broad surface for attack.

How things have changed - From experts to users

It is certainly necessary to follow recommendations and best practices in web security, such as those suggested by OWASP.

However, even though recommendations and security tools are available, attackers often exploit vulnerabilities that also appear in the libraries we use in application development. Previously, we had to manually program everything because there weren't as many auxiliary libraries as available today.

On the other hand, those that did exist often did not meet the needs of our applications. Therefore, developers had to have a broad knowledge of program functionalities without the help of additional libraries.

Since we could not rely too much on ready-made solutions, most developers paid more attention to security. However, over time we began to use libraries for almost everything, but we did not retain the desire to understand all the details within those libraries.

Attackers targeting our applications or libraries can use techniques that exploit even the smallest problems in our code. Even if you write the code correctly, in 99% of cases, that remaining 1% can make your application just as vulnerable as if you had not implemented any protection at all.

Let's see an example of such an attack through popular open-source packages.

Damaged NPM libraries

NPM (Node Package Manager) is the most used package manager for JavaScript in Node.js. Through NPM, we can install and manage packages for our JavaScript applications.

Users of popular open-source packages "colors" and "faker" were stunned when they saw their applications crashing and displaying nonsense, affecting even thousands of applications.

The creator of these packages intentionally included an infinite loop that crashed hundreds of applications that rely on these packages. These loops print nonsensical non-ASCII characters on the consoles of all affected applications and continue to execute indefinitely, thus causing crashes.

The real motive behind this action was retaliating against mega-corporations and commercial users of open-source projects who heavily rely on free community-contributed software without giving back.

Best practices for selecting and using open-source libraries

Given these challenges, it is important to adopt cautious and strategic practices when selecting and using open-source libraries. Here are some recommendations to ensure the reliability and security of your applications

Be careful about which packages you use. Not all packages are maintained with the same level of security and reliability.
Choose packages maintained by established consortia dedicated to improving and maintaining software. This ensures ongoing support and updates.
Prefer using source code over binary whenever possible. This recommendation is especially important because binary files imply a much higher level of risk since it is ultimately impossible to verify that they were built with the associated source code. The best approach would be to directly use the source code, check its integrity, and analyze its vulnerability before using it in application development.

Top-tier code is a secure code

We can ensure a certain level of security by using various tools to check for vulnerabilities in our code, such as:

OWASP ZAP - The most popular tool for testing the security of web applications.
MobSF - Provides automated security testing for mobile applications.
SonarQube - Used for analyzing and testing the quality and security of code in various programming languages.

These tools can detect various vulnerabilities in web applications and mobile applications, including compromised authentication, exposure of sensitive data, incorrect security configurations, SQL injection attacks, cross-site scripting, unsafe data deserialization, and components and libraries with known vulnerabilities.

What can companies do today to protect their data?

Today, security is more necessary than it was 10 years ago. From HTTP anomalies, SQL injection attacks, and cross-site scripting (XSS) to attempts at account takeovers and malicious bots.

To ensure the security of our applications, it is crucial that every company operating on the web does not compromise security for the speed of delivering new applications or functionalities. Most importantly, the company must maximize the security of its end-users' data.

If you have any questions about how we handle security at our company, feel free to reach out in the comments below!

Challenges of Being a Tech Lead

Marko Meic — Fri, 08 Dec 2023 15:42:15 +0000

Being a technical lead is much more than just programming.

Being a tech lead requires a large amount of professional experience in software development and a deep understanding of technology. However, aside from these qualifications, it also entails being approachable and capable enough to collaborate and help others while effectively leading a team.

What makes a tech lead… a true lead?

A tech lead is usually a more senior member with the skills to lead, direct and manage technical projects. While coordinating projects or overseeing feature development from start to finish, they remain individual contributors. Tech leads often have additional responsibilities, such as coordination between various departments or monitoring testing and quality assurance tasks for their projects. There is a whole set of skills a tech lead should possess and continually work on. Let’s see why they all matter!

Never stop upgrading your technical knowledge

Although technical knowledge isn’t the sole required skill, it is a prerequisite. A tech lead should possess a deep understanding of technology while being open to adopting new technologies and learning. No matter your current position, be ready to learn something new.

Why mastering effective communication is the key skill

It is not said without reason that communication is the key to success. You should be able to communicate with your team and help them to grow effectively. From technical meetings to workshops, you must remember that effective communication requires active listening. Active listening involves both verbal and nonverbal communication, and like most soft skills, it requires practice. As a result, you will connect more with people and avoid many errors in work due to ineffective communication.

As a tech lead, you will also collaborate with non-tech departments, so be prepared to adeptly represent your team and provide context to all your visions and ideas. Your ability to effectively convey information will determine the success of your team.

Mentorship holds significance for both sides

I would highlight this as one of the most important responsibilities of a tech lead, particularly when your team includes less experienced developers. Mentoring is all about building work relationships in the long run. This skill requires patience and the ability to provide constructive feedback. Additionally, you’re there to provide continuous support and encouragement to your team, motivating them to tackle challenges independently and learn continuously.

Critical thinking develops great leaders

You shouldn’t take every idea at face value. In work, the potential for incorrect suggestions and advice is ever-present. Blindly following everything presented to you can only waste your time. Developing your critical thinking skills as a leader is pivotal in helping you and your team solve problems.

Decision-making is not your enemy

Although we said that to be a tech lead, you need to have experience, not all senior engineers are born to be leaders. The ability to make the decision and commit yourselves, both to your team and projects, is what sets you apart. Fear of leadership is a real thing because it brings the weight of responsibility on your back, and as a leader, you need to learn how to deal with that.

Decisions need to be made confidently and with a level head. In every moment, you need to be aware of where the team’s priorities lie. Should you all focus on one thing or another this sprint? Can the team afford tech debt when implementing some features?

Time managment is a secret to success

Nowadays, a lot is being said about time management skills in every industry. It requires a whole set of skills; now imagine if it’s not just you in question but your entire team.

Remember that some days you will still do coding most of the time, but given your position as leader, expect your calendar to be packed with meetings and interruptions. Don’t you worry because, on most days, you will have a mix of both. More fun for you!

A quick tip: learn how to block off time on your calendar to have more focus on your work.

The art of knowing when to delegate

The inability to delegate is one of the most common management mistakes. To delegate doesn’t mean you are incapable of doing something; it means you have mastered the art of time management and play to your team’s strengths and goals. You are giving a chance to your team members to learn and develop while creating time for your priorities.

Optimize your team through documentation and project process improvement

As a tech lead, be prepared to be asked the same questions. Repeatedly. And frequently. Every team member is responsible for reviewing code, so teach them about the best code review practices. By including your team members in resolving complex problems, you are teaching them critical thinking; as a result, you will have another person capable enough to help in the future.

Adequate documentation supports both the development team and stakeholders, and it’s an essential part of every software project. Doing this correctly will help communicate more effectively and prevent future mistakes.

All of this helps optimize the developer experience. Providing a robust development environment with clear documentation will help the team become more productive. Writing missing tests for code that frequently breaks would also help. The tech lead should work with each team member to identify project issues and gaps in their knowledge and make a plan to help them fill them. Although he or she is a lead, they still need to do detailed code reviews with other developers, follow best practices and improve processes and documentation.

Benefit from your negotiation skills

Because of your job position, you will often interact with product owners and stakeholders. Your goal is to align expectations and prioritize your team’s work.

To maximize productivity and fair task distribution in a team, negotiation skills help when assigning tasks among team members. Effective negotiation will help you to improve your processes, implement new technologies or methodologies and drive continuous improvement.

Project planning and stakeholder management

The tech lead works with the product owner to create a development plan for a project and to set realistic timelines. In case of unrealistic deadlines, the tech lead is there to put a hard stop and make the priorities known. Together with a product owner, they create a list of the most critical items to deliver in a certain amount of time. After that, they create a plan to deliver future iterations in an agile way.

Understanding how to manage clients, various stakeholders, and business partners is crucial. The ability to maintain good collaboration and align expectations is what will make a project great. You can imagine a tech lead as a bridge between a project's technical and business sides. The tech lead is responsible for effectively communicating technical terms and ideas so stakeholders can clearly understand them.

Behind the scenes of being a tech lead

No two individuals will approach a task in the same way. Each leader’s unique perspective, skills, and experiences contribute to how they tackle challenges. Let’s take a glimpse into what my schedule looks like.

A month and a week in the shoes of a tech lead

Be prepared for each week to be different. In one week, you’ll help your fellow team members with their tasks, coaching and contributing to their growth. In another week, your focus will be on more project-related meetings. On a monthly basis, there is a lot of planning work for two-week sprints, quarters, prioritization of development tasks, and resolving dependencies effectively to increase team productivity and delivery.

It may come as a shock, but as a tech lead, there can be a whole week without you writing a single line of code. The priority is that your entire team is productive and successful.

A few hours per week are dedicated to coding, while the majority of the time goes to project meetings, aiding in unblocking team members, and reviewing code and ideas from other developers. It is difficult to focus on writing good code when you are being interrupted every hour by a meeting.

What does my typical day look like?

Remember, while having a routine is important, it’s not set in stone.

During the initial three hours of the morning, I focus on checking and responding to all new emails and Slack messages. To visualize my work, I think about the priorities for the day and assess whether anything remains from the previous day's work.

The midday period is generally reserved for meetings and collaborative pair programming sessions with developers - a great way to pick up some new information and knowledge. As a reminder from the message at the beginning: never stop upgrading your knowledge, no matter your position.

It’s your responsibility always to expect the unexpected, so working on things you didn’t set a tight schedule is part of the workday.

A quick tip: don’t forget to check with your team where you can unblock them so they can continue their work.

Given the projects involving team members across different time zones, I reserve the end of the day for a daily standup, product/tech sync, planning, and refinement meetings. After all these meetings, if there is time, I continue working on my tasks and bugs. It all comes a full circle because, at the end of my day, I prepare a starting point for the next day.

Don’t be afraid to embrace the responsibilities that come with the role

Maybe it sounds scary at first, but don’t shy away from taking on full responsibility in this role. In this position, you will :

Provide technical support to the product owner and other stakeholders
Organize and prioritize the project's technical work so the right parts get done at the right time
Lead technical design meetings and technical breakdowns
Make sure that teams meet high standards of quality and implement best practices
Ensure that team members understand project processes and documentation
Help to remove blockers, which may include seeking answers from other departments or teams
Make sure that the team has the right tools and resources to complete their task
Teach through pair programming and code reviews
Influence the team with new ideas, methodologies, etc
Make sure the team is working toward the project vision and timeline
Communicate and negotiate with stakeholders on project timelines, deadlines, and overall work

Overcoming the challenges of being a tech lead

1. Decision-making responsibility

As previously mentioned, what sets tech leads apart from senior developers is their ability to make decisions while being aware of the responsibility that comes with it. If you are the lead, the responsibility to decide which technology or tools to use for a feature or a project is in your hands.

This is a challenging task because it requires taking into account several factors. Choosing the right tool for the job includes both tech lead and developer, and the wrong choice can lead the project in the completely wrong direction. Later, this could be a very expensive mistake for everyone included. Recognizing your team’s strengths is an integral aspect of your skill set. It doesn’t make sense to push some technology if the team isn’t comfortable working with it or has no knowledge of it. When choosing a technology, you should consider the project's maintainability and the difficulty of finding new talents who would continue to work with that technology.

Never hesitate to raise your concerns regarding unrealistic deadlines, timelines, and workload overall. As a representative of your team, you should consistently communicate the delivery timeline transparently to stakeholders.

2. Preventing burnout

Workplace burnouts are regrettably all too typical in today’s world. A tech lead’s role should be to keep their team from becoming burnt out while not running themself into the ground.

Burnout results from an unhealthy workplace, which reduces productivity and the health and happiness of everyone involved. It is important to learn how to recognize signs of burnout in a team and have open communication with the team to determine the reasons for their problems. Addressing issues as soon as possible in a project or team will reduce frustration and stress, or they will cause even more problems in the future. You should always remember that taking breaks at work is important.

3. Cultivating a strong team culture

Building a strong team culture increases the whole team’s productivity and efficiency. Having the necessary skills and knowledge is important, but partaking in building team culture will bring cohesiveness to the next level. It’s on you to set the tone of team culture and provide opportunities for open and transparent communication. As a tech lead, you need to create space for personal and professional goals and have everyone in alignment with team and company values.

While working towards a common goal as a team, each individual contributes to the team culture. Because of this, as a tech lead, you can count on mentoring less experienced developers and new team members. This requires patience, understanding, and the ability to impart knowledge to someone.

Growing into a tech lead role

Remember that as a lead, you need to master the art of balancing multiple responsibilities and juggling between tech and non-tech tasks. Coming to terms with the fact that you can’t be in complete control of everything that happens on the project is a fact you need to be willing to accept.

Sometimes, you need to learn to let your team members fail. This will help the team be more independent, which, in the end, frees up your own schedule for your technical tasks.

You are responsible for ensuring that teams satisfy high-quality standards and that best practices are implemented while delivering all projects and features on time. Learning how to prioritize the work effectively will help the team work toward goals with a minimized number of blockers. In return, it will boost their productivity and success.

As a tech lead, you will continuously learn, and that’s a part of your role. A good tech lead works on improving knowledge and skill set while knowing when to delegate. Remember, you can’t do it all by yourself!

How to install unsupported development software on M1 Mac

Marko Meic — Fri, 22 Jul 2022 07:20:47 +0000

Developers worldwide use Intel-based Mac computers every day, but many of them face issues setting up their development environment on Apple silicon M1 Macs.

The big transition from Intel to M1

In November 2020, Apple released the first Mac with an ARM-based M1 chip, along with the new MacBook Pro, MacBook Air and Mac mini models. From the release, the M1 chip received astounding reviews and praise for its efficiency and performance – and it marks Apple's transition from Intel chips that have been used for the last 15 years.

Suppose you consider buying a new Apple silicon supercharged Mac or MacBook Pro for development, but you are worried about transitioning your existing project from your Intel-based Mac. In that case, this blog will explain some development setup tips & tricks that will help you continue programming and make your transition easier.

Is the Apple silicon M1 suitable for developers?

Ever since Apple introduced the first M1 Macs two years ago, they delivered groundbreaking performance and amazing battery life.

In the beginning, M1 chips were only to be found on consumer-focused Macs and definitely came with some limitations – such as being able to support only one external monitor. The next step came a couple of months ago - in October 2021, when Apple introduced the new M1 Pro and M1 Max – new breakthrough chips for the Mac.

The first things we noticed are more powerful M1 architecture, more CPU cores, more GPU cores, more RAM, more ports on the MacBook Pro models – and the possibility of connecting more than one external display.

There are a lot of pros when it comes to new Apple M1 chips; however – there are some disadvantages that need to be addressed, such as software and tools you are used to may not be fully supported.

Although there is already a lot of software optimised for Apple Silicon, there are some that require an extra step in the form of a translation environment – such as Apple Rosseta, which translates apps designed for Intel architecture to M1 architecture.

The Software problem

Here in our company Devōt, we use both Intel-based, and M1 based Mac machines, and many of us are using the Homebrew package manager, which simplifies the installation of different software - like Ruby, Git, MySQL etc.

However, when trying to install some older versions of that software on the M1 architecture, we would soon run into many issues related to installing native extensions and different dependencies.

In order to resolve those issues and try to install failing dependencies, we tried many different solutions and extensions, which included different installations through the terminal on Apple and Intel architecture. The result was a huge development software mess that didn't look promising. For example, trying to install the older Ruby 2.3.6 version (which is not supported on M1 architecture), was constantly causing issues with ffi 1.9.18 gem and OpenSSL 1.0, (also not supported on M1 architecture).

After many tries with custom dependencies installations, Ruby 2.3.6. seemed to be installed. However, there were also Ruby bundler issues with installing project gems – all in all, a big mess.

One of the biggest problems in this transition is that some large–scale projects use an older technology stack, which may not be supported by M1 architecture. For example, Let's take MySQL Database Service - MySQL@5.6 is not supported on M1 architecture, and trying to install it with Home-brew on M1 architecture results in many different errors.

If by any chance, you somehow manage to install MySQL@5.6 with some custom installation commands, other software such as Bundler for Ruby probably won’t work – because MySQL@5.6 is not supported on M1, and again you can expect different errors.

So, what is the solution?

The solution is actually more straightforward than it may seem – you should use only one architecture for installing the entire technology stack in your development environment.

For example – with Rosseta, we can have 2 Homebrew systems installed – with Apple silicon architecture – Homebrew's default directory is /opt/homebrew. When installed with Intel architecture, there is a different default directory, and it is /usr/local.

When using the terminal, we can run commands in Rosetta (on the intel architecture), but mistakes can still happen, and we can end up with a mess again.

Example brew aliases:

alias rbrew="arch -x86_64 brew"
alias ibrew='arch --x86_64 /usr/local/Homebrew/bin/brew'

In our example, we use iterm on Mac as the main terminal app, and zsh shell with Oh My Zsh framework for Zsh.

Adding some aliases to zsh configuration file (.zshrc) to switch between Intel and Mac architecture can help us a lot in the environment setup – while installing all the libraries over homebrew and other tools and software.

alias armzsh="arch -arm64 zsh"
alias intelzsh="arch -x86_64 zsh"

To display in which architecture we are currently, we can add this setting to our zsh configuration file (.zshrc).

if [ "$(uname -p)" = "i386" ]; then
  echo "Running in intel arch (Rosetta)"
  eval "$(/usr/local/homebrew/bin/brew shellenv)"
  alias brew='/usr/local/homebrew/bin/brew'
else
  echo "Running in ARM arch"
  eval "$(/opt/homebrew/bin/brew shellenv)"
  alias brew='/opt/homebrew/bin/brew'
fi

Even though it may sound trivial, making sure you are in the correct architecture is crucial to avoid many issues caused by different homebrews.

For version manager, our suggestion would be asdf. asdf is a CLI tool that can manage multiple language runtime versions on a per-project basis.

How does it work?

Most tools and programs will work perfectly fine on M1 architecture, but some tools require installation that won't work. In our example, running asdf install ruby 2.3.6 will fail due to architecture issues on M1, but if we switch to Rosetta using our alias command and run asdf install ruby 2.3.6, it will succeed. So now Ruby 2.3.6 is compiled and installed from Rosetta, and we can actually use it even on M1 architecture (armzsh).

As M1 Mac has only M1 architecture chip, you will have to adapt to M1 architecture if you plan to use it. How does it work on Apple M1 ARM architecture? Every time we use Rosetta to install an unsupported program or tool, Rosetta compiles it in Intel architecture – and then makes an M1 ARM installation. Rosetta is only required for compile and installs phase, and then our programs should work anywhere.

Since we use both Intel-based and M1 based Mac machines, feel free to check our other blogposts here https://devot.team/blog/how-to-install-unsupported-development-software-on-m1-mac, and contact us with any questions related to the development setup – we will gladly try to help.