by Karel Gonzalez, Senior Software Engineer
A few weeks ago, I had the opportunity to attend the Lonestar Application Security Conference here in Austin. Security is something I have always been mindful of during my development, but I still felt a sense of futility about it. I ask myself on a fairly regular basis “I’m doing something, but am I doing enough?”
I met a lot of great people during the conference, and heard some very interesting talks about privacy and security concerns, some more technical than others. Overall, the experience made me feel like I should start focusing on security more as a developer, and urging my peers to be more mindful of it as well.
I’d like, for a moment, to take a broader look at security. Not in any specific application, but as a concept.
Merriam-Webster defines security as “The quality or state of being secure”, and goes on to define some situations such as “freedom from danger” or “freedom from fear.” We have to read down a bit further to get the definition of security as a practice. Definition 4b(1) specifically reads “Measures taken to guard against espionage or sabotage, crime, attack or escape.”
We take measures to guard ourselves in the information age by using firewalls and antivirus software. Our developers have learned to take basic security measures while writing code for the applications you provide as a service, such as escaping user input before it is processed to avoid injection of malicious code. We use security software and/or security analysts evaluate our products to make sure they meet a set of security standards that are as current as they can be.
Despite all this, it seems like lately every time we turn to the news there is yet another major organization that has encountered a security issue. Even organizations that deal exclusively with our most private of information are being breached. These are organizations that have security teams and budgets far larger than some of the organizations I have worked for.
When a data breach happens I worry. Especially if the breach occurs with an organization that I personally do business with. The Experian breach impacted me. The Target breach impacted me. I’m sure they impacted some of you as well. I wonder what could have been done to avoid the situation. Were they keeping the software that they rely on up-to-date? Were they storing information securely?
So what can we do to make sure we aren’t the next data breach headline?
From a non-technical standpoint, it starts with cultivating a culture that doesn’t treat security as an inconvenience. Everyone in your organization should be concerned with the security of both your intellectual property, and your clients’ data. This can be difficult to do sometimes with the heavy feature-focus some levels of an organization can have. There are requirements that must be met, and sometimes security gets pushed aside. Once that starts happening however, it becomes increasingly difficult to get caught back up. If security is a focus during feature development, it becomes easier to maintain.
From a more technical perspective, we need to observe what the current security threats are and take measures to protect against them. We need to be less reliant on our perimeter security measures, and do more than the bare minimum of string escaping and the like. The reliance on software libraries and frameworks makes this difficult at times, especially if the source code is not available for audit. It’s difficult to know whether the frameworks you are using are truly secure. Security audits and penetration testing, despite the amount of time they can take, are good ways to ensure that your product meets your organization’s security guidelines.
Overall, you can never assess every threat before it happens. But with a culture of security, and a team of engineers and developers that are prepared to take security seriously, you can greatly reduce the amount of risk to your organization.