This past week during my 100 days of hacking challenge, I started to dive deeper into the fundamentals of security and exactly why we as developers should learn to implement security into our code. Cybersecurity and software engineering are commonly seen as two separate specialties without much overlap, other than maybe an intro class or two for Computer Science students and a few dedicated minutes in a lecture for bootcamp grads if they're lucky.
When I initially started to learn to code, I tried to ask around for advice on how I could integrate my passion for web security with software engineering. The general consensus that I received at that time, was that they are two separate things and that the frameworks learned in school were enough and that I didn't need to concern myself with the security aspect. Something about that just didn't sit right with me, and as I've started to learn more about breaking applications through Bugcrowd's bug bounty mentorship program, my stance that all developers should learn more about implementing security in their code is enforced.
Using a framework is a common practice during development, because they abstract a lot of logic, in turn, saving a lot of time. However, using a framework without an understanding of how it works or the potential risks can put the security of your application in jeopardy. A single line of defective code can render an organization's internal systems to vulnerabilities. Many companies use the same frameworks and dependencies. This means when a vulnerability is discovered within these tools it puts all of the companies using them at risk. More so if they aren't making sure to update their dependencies and taking action against these risks. While efficiency and agility often take priority during development, without security built into the application the attack surface is greatly increased.
When developing an application, you should consider things like:
- What should this application do?
- How should this application behave?
- What are my inputs? (form fields, query parameters, local storage, embedded css, etc)
- What are my outputs?
- What potential weaknesses could be taken advantage of by a hacker?
While software engineering and cybersecurity should still be viewed as their own specialties, there are many benefits for developers learning the basics of integrating security into their coding practices. By having developers be part of the solution, in taking responsibility for their code, users and companies will be less likely to be involved in a data breach that exposes confidential data. It may take time to see a change in curriculum to include secure software development practices. Depending on the size of the company, their level of concern with security and budget, companies may rectify this by implementing a DevSecOps team, a security champion, or by hiring developers who are more aware of security practices compared to those who aren't familiar with security concepts. The goal of integrating security with web development is to prevent common vulnerabilities in your application, which protects the users, the companies, and lessens the likelihood of having to backpedal in the event of a costly & time expansive security breach.
Interested in learning more? Several resources that you may find beneficial include:
Alice & Bob Learn Application Security by Tanya Janca or the author has a YouTube playlist reading of the book
Learn Enough Frontend Security to Be Dangerous webinar hosted by Mintbean
MicroFocus Lunch & Learn DevSecOps hosted by Black Girls Hack
I will be studying a different web vulnerability each week during my 100 days of hacking and I look forward to sharing in more detail about common vulnerabilities and how we as developers can defend against them. In the meantime, let me know what your thoughts are on web developers learning more about security & any resources you find interesting!
Latest comments (8)
This is an important aspect of development; I'd say that it should be considered mandatory in today's climate. Stand up a brand new server with a simple
index.html, then look at the logs in a week; they'll likely be filled with all sorts of 404s from hacking attempts. Expose a login page, and watch the tables of hacked account credential attempts roll in.Good on you for emphasizing this! Software developers owe their users (and their user's data) no less.
Great insight, Daniel! I couldn't agree more. Hopefully with awareness comes positive change in the right direction. Thanks for reading!
Every Developer Should Learn About Security :)
The problem is that with the growing demand and changing requirements, web developers often find it hard to keep up. Some development aspects tend to be overlooked, and security is a major culprit. While security is increasingly becoming an important part of development, most web developers are not following some basic security principles.
Thanks for your input! The importance of security will only grow more and more as technology continues to evolve but hopefully with a change in more developers using secure development practices as a day to day practice it will become less difficult to keep up. I think this is also where companies can integrate the use of security champions who are developers with a large focus on security, and can take some of the load off of those who aren't security focused.
Wonderful
This was great! I have been curious about learning security myself. During my bootcamp at Thinkful we didn't learn much about security. However we were shown some of the mistake that you never want to make that can easily compromise your applications to hackers that know better. I look forward to your future writing, maybe reading them will be my intro to diving into security. Keep it up! Thank you.
Thanks for reading and for your input! 😊