Security is such a vast topic. There are a lot of traps and false beliefs.
Since the coronavirus crisis, hacking has been increasing, so you got to be prepared. The good news is that you can significantly mitigate major flaws with simple good practices.
Hackers are looking for vulnerabilities. It’s what they do. You’d be surprised how often the weakest link is the human factor.
Permalink to heading Fewer permissions, fewer problems Fewer permissions, fewer problems
We are developers, and we are human, we do stupid things, especially at the beginning of our career. Every year, I hear that sad story in which a rookie pushes bad commits exposing credentials in one of his public GitHub repositories.
Not surprising. If forks are enabled, if you don’t handle rights and permissions properly, it will happen sooner or later.
An excellent practice is to only give the necessary privileges to developers and coworkers. I don’t know you, but as a developer, I prefer not having access to things I don’t need. This way, I got one less (potential) problem 😘.
Permalink to heading Use password managers and VPN Use password managers and VPN
Never store passwords in your browsers. Instead, use a password manager. As a developer, you have access to confidential information, and these credentials might be critical for business. You have to protect access.
Using a password manager is more secure; it’s faster, and you get extra cool features such as auto-filling passwords or password generators.
As a developer, you may work remotely, but not necessarily at home. You may push some code just before your flight, and sometimes you might have to use public networks. If your employers do not provide any VPN connection, they’re probably doing it wrong. Please consider asking them, and maybe they have not heard about it yet.
Permalink to heading Don’t mess with your machine Don’t mess with your machine
It is your responsibility to protect your machine. Don’t install any cracked software. Don’t do illegal stuff, including peer to peer downloads for games and movies. Indeed don’t watch porn.
Don’t do hacking kinds of stuff, or at least use another machine, buy some Raspberry Pi, it’s pretty cheap, install Kai Linux or whatever dedicated operating system.
Unfortunately, the danger is sometimes less visible. Don’t install whatever fancy GitHub repository unless it’s a trusted source. It’s not rare to get unsecured docker configurations, for example.
Besides, be careful with permissions when installing applications. Review your applications regularly.
Permalink to heading Be careful with social networks Be careful with social networks
If I am a hacker and know you work as a developer for a company in my line of fire, it is easier for me (and probably more efficient) to hack you.
If you tweet all day long, I can get a lot of information about you and your habits with the Twitter API, and I can even become your “online friend.”
Knowing that you probably connect to a lot of stuff, including websites, applications, messengers, and internal networks, I can use your privileges to perform harmful actions.
Permalink to heading Keep your tools up-to-date Keep your tools up-to-date
You need to get the latest versions of all the software you use in your work. It includes operating systems, software, libraries, frameworks, etc.
It takes time, and it can be a massive pain because of the incompatibilities, but necessary.
Permalink to heading Security in code Security in code
Of course, you have to know security flaws such as XSS, CSRF, SQL injections, insecure references, unvalidated inputs, etc. There are A LOT of free ebooks and fantastic resources for that.
However, it isn’t effortless to learn those concepts. It gets worse when blog posts are not enough accurate or misleading, especially for that topic. Everybody says, “make yourself aware of those vulnerabilities,” but it is not that easy.
You could read the entire web without understanding the key-concepts. IMHO, the best pieces of advice I can give you are the following:
- use security guidelines in your team (I love todo lists <3)
- do code reviews
Automatic tools are powerful, but you get a lot of false-positive results. Nothing compares to experience and pair programming.
Permalink to heading Wrap up Wrap up
I hope these security thoughts are useful, don’t trust user inputs, and don’t trust yourself cause you might be the breach.
Be humble. Even with those good practices, you might get hacked. It’s not bulletproof, nothing is, but it drastically reduces risks.
I do my best to update all my contents, but keep it mind that "Bad Security habits to lose" has been published many months ago.