I am a Developer Advocate for a company (Snyk) that specializes in helping devs find and fix security vulnerabilities in their open source dependencies. It is my job to share resources and insight with dev communities and, more importantly, to listen to devs and get feedback on what they need. Prior to this I was a webdev who had read the OWASP Top Ten a few times. It has been a bit of a change to say the least.
I honestly sometimes feel like a professional confused-person. I am new to security, and a lot of my coworkers understand security in a really profound way. But it is valuable for the company to have the perspective of someone who is new to security, because a large portion of their customer base is as well. And that is okay. I am learning things each week.
I have a secret though, and I think I should share it.
You know more about security than you think you do.
Take it from someone who knows more than she did six months ago. Take it from someone who still has a lot to learn. Humans have a security mindset even if they haven't written a line of code. There are things that you do in your day to day life that give you perspective on security.
So I present to you five things I knew about security, before I knew anything about security:
We all practice this in our social lives. I tell things to my husband, or my best friend, or my mom that I would not tell my coworker, or an acquaintance, or a stranger.
When I was in grad school, my flatmates and I all had permission to be in the common areas of the apartment, but my individual room had a separate lock. So did theirs.
When I am at a conference, my badge gets me into public areas, but not necessarily backstage, or to separately ticketed tutorials. An organizer's badge would get them into those spaces.
Granular permissions are part of our daily lives and have generally been set by social norms, purposefully designated relational boundaries, or some kind of physical security (like the locked apartment rooms). They may have been purposefully stated, but you also might have just assumed the defaults. You may not have been aware that you grant granular permissions in your personal life, but you absolutely do.
Think about these granular permissions in your life. Be purposeful about them for happier, healthier relationships. And be purposeful about permissions in the apps you build as well. Ask yourself whether the defaults make sense and remember that it is always easier to grant a new permission than it is to revoke one.
There is an old joke about two hikers that come across a bear while on the trail. They start to run away. One hiker says to the other, "Why are we running? We can't outrun a bear!" The second hiker replies, "I don't have to outrun a bear, I only need to outrun you".
There is a lot of truth to this. Bad actors will often go for low hanging fruit, crimes of opportunity, or the path of least resistance. Stay ahead of your peers to stay ahead of the bear.
Have you ever investigated a car alarm? I have, on exactly one occasion. My neighbor had gone out of town and his car alarm went off--and kept running for 36 hours. That got my attention, but not quick enough if his car was actually being stolen.
People are not roused to action by car alarms because they have a ridiculously high rate of false positives. For every car alarm triggered by a true crime, there are hundreds seemingly triggered by the wind, a falling leaf, or a dog looking at it.
If you are warned about 50 security vulnerabilities (which don't end up being actual vulnerabilities), what is the likelihood that you will pay attention to the next alert?
Before I was a latch key kid, I was an after school program kid. My mom worked prosecuting child abuse cases, and was very serious about security with my brother and me. If there was ever an occasion where mom was unable to pick us up there was an established protocol.
First she would call the program and let them know who was going to pick us up (first factor). Second, when the friend or relative arrived to pick us up, they had to tell us the "secret word"--a previously established secret phrase that I knew my mom would only tell someone that she trusted to take care of us (second factor).
When I heard that word, I would know my mom had really sent the friend or relative.
This IRL two factor authentication (2FA) added a layer of security and reduced the chances that I would leave with a stranger, or even with a non-stranger who hadn't been properly authorized.
If you use a service that offers two factor auth, take them up on it. It is still possible to compromise 2FA, but significantly harder. Remember, you are trying to outrun your peers, not the bear.
Getting help is good. Get a locksmith. Get a home alarm. Use the tools available to you. Run with pepper spray.
In the software world this is true as well. There are a lot of groups out there who can help you with being as secure as possible. Groups like Snyk can help you with your open source dependencies (we have a free tier!), other groups build code scanners or perform pentesting, and more. Use the resources available to you. You don't have to do it alone. In fact, making use of the tools available to you is preferable, because you benefit from the learning process and development that they already went through.
I wrote this piece to help people who are new to security, or even new to any aspect of software development. It may feel like you are starting from zero, but you are not. Technology is not some mythical subject that can only be approached by the chosen or whose mastery process is distinct from any other skill. Your current knowledge and experiences are a good starting point, and you absolutely can learn and improve. Onward!