Bad Security habits to lose

spO0q 🐒🎃 - Jun 20 '20 - - Dev Community

Security is such a vast topic. There are a lot of traps and false beliefs.

Since the coronavirus crisis, hacking has been increasing, so you got to be prepared.
The good news is that you can significantly mitigate major flaws with simple good practices.

Hackers are looking for vulnerabilities. It's what they do. You'd be surprised how often the weakest link is the human factor.

Fewer permissions, fewer problems

We are developers, and we are human, we do stupid things, especially at the beginning of our career.
Every year, I hear that sad story in which a rookie pushes bad commits exposing credentials in one of his public GitHub repositories.

Not surprising. If forks are enabled, if you don't handle rights and permissions properly, it will happen sooner or later.

An excellent practice is to only give the necessary privileges to developers and coworkers. I don't know you, but as a developer, I prefer not having access to things I don't need. This way, I got one less (potential) problem 😘.

Use password managers and VPN

Never store passwords in your browsers. Instead, use a password manager. As a developer, you have access to confidential information, and these credentials might be critical for business. You have to protect access.

Using a password manager is more secure; it's faster, and you get extra cool features such as auto-filling passwords or password generators.

As a developer, you may work remotely, but not necessarily at home. You may push some code just before your flight, and sometimes you might have to use public networks. If your employers do not provide any VPN connection, they're probably doing it wrong. Please consider asking them, and maybe they have not heard about it yet.

Don't mess with your machine

It is your responsibility to protect your machine. Don't install any cracked software. Don't do illegal stuff, including peer to peer downloads for games and movies. Of course, don't watch porn.

Don't do hacking kinds of stuff, or at least use another machine, buy some Raspberry Pi, it's pretty cheap, install Kai Linux or whatever dedicated operating system.

Unfortunately, the danger is sometimes less visible. Don't install whatever fancy GitHub repository unless it's a trusted source. It's not rare to get unsecured docker configurations, for example.

Besides, be careful with permissions when installing applications. Review your applications regularly.

Be careful with social networks

If I am a hacker and know you work as a developer for a company in my line of fire, it is easier for me (and probably more efficient) to hack you.

If you tweet all day long, I can get a lot of information about you and your habits with the Twitter API, and I can even become your "online friend."

Knowing that you probably connect to a lot of stuff, including websites, applications, messengers, and internal networks, I can use your privileges to perform harmful actions.

Keep your tools up-to-date

You need to get the latest versions of all the software you use in your work. It includes operating systems, software, libraries, frameworks, etc.

It takes time, and it can be a massive pain because of the incompatibilities, but necessary.

Security in code

Of course, you have to know security flaws such as XSS, CSRF, SQL injections, insecure references, unvalidated inputs, etc. There are A LOT of free ebooks and fantastic resources for that.

However, it isn't effortless to learn those concepts. It gets worse when blog posts are not enough accurate or misleading, especially for that topic. Everybody says, "make yourself aware of those vulnerabilities," but it is not that easy.

You could read the entire web without understanding the key-concepts. IMHO, the best pieces of advice I can give you are the following:

  • use security guidelines in your team (I love todo lists <3)
  • do code reviews

Automatic tools are powerful, but you get a lot of false-positive results. Nothing compares to experience and pair programming.

Wrap up

I hope these security thoughts are useful, don't trust user inputs, and don't trust yourself cause you might be the breach.

Be humble. Even with those good practices, you might get hacked. It's not bulletproof, nothing is, but it drastically reduces risks.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .