loading...

Building simple systems for better security & reliability

mohanarpit profile image Arpit Mohan Originally published at insnippets.com ・2 min read

TL;DR notes from articles I read today.

Simple systems have less downtime

  • Simplicity while building a system leads to less downtime because you don’t need to wait for a specifically proficient person to do/help with anything, anybody in the team can take over troubleshooting without a huge learning curve or training.  
  • Troubleshooting, therefore, takes less time, because learning the system and then identifying and resolving the problem is almost intuitive.
  • When each part of the system has a clear function, it is easier for you to find several alternative solutions.
  • Follow these principles to build simpler systems:
    1. Features don’t justify the complexity. Choose tools that are easy to operate rather than the most feature-rich option.
    2. Complex ideas lead to complex implementations. Pare down your ideas so they can be explained fast.
    3. Try modifications before additions. Most people rush to add new layers, steps or integrations for new requirements. Instead, first, check whether the core system can be modified.


Full post here, 6 mins read


Avoiding vulnerabilities in software development

Impose proper input validation:
1. Apply the zero trust principle and assume all input is unsafe until proven otherwise. Whitelist validated environmental variables, queries, files, databases and API calls.
2. Realize that attackers may be able to access hidden form fields.
3. Validate input for content, as well as length. Evaluate type, syntax, and conformance to logic (semantic sense).
4. Perform both client-side and server-side checks.
5. Validate inputs again after any data combination or conversion.

Beware of information exposure:
1. Frame your error messages so that they do not give away the full path of a file or program, or expose a user in the database.
2. Contain sensitive information to areas with explicit trust boundaries. Use access controls to secure and restrict connections between ‘safe’ areas and endpoints.
3. Restrict sensitive information from URLs or communication headers. Obscure path names and API keys.  

Ensure proper authentication to assign privileges:
1. Make sure temporary privilege escalations are easily reversed, and soon.
2. Assign privileges through whitelisting, starting with a universal base of least privilege, rather than restricting them through blacklisting.
3. Never allow a lower privilege level to affect a higher privileged user.
4. Restrict log-in attempts and impose session limits.
5. Separate higher-level privileges into different roles to limit ‘power users’.
6. Apply multi-factor authentication. 

Full post here, 6 mins read


Get these notes directly in your inbox every weekday by signing up for my newsletter, in.snippets().

Posted on by:

mohanarpit profile

Arpit Mohan

@mohanarpit

Co-founder & CTO, Appsmith. ❤️ Distributed Systems. 3X Founder - backed by YC, Sequoia Capital & Accel Partners. Strongly believe in the philosophy “Always be building"

Discussion

pic
Editor guide