InfoSec from the eyes of an SDE

Image Credits: https://portswigger.net/burp/application-security-testing
  1. Always validate any data entering or leaving a module. From data exposure to code injection, most attacks listed on OWASP Top Ten can be mitigated with proper validation mechanisms.
  2. Be conscious about where your code would actually run. Critical data (such as keys and credentials) should NEVER be brought to the client’s device.
  3. Ensure that authentication and authorization are enforced between every layer. The latter is often overlooked when dealing with heterogeneous systems.
  4. Log important transactions. Preferably, integrate it with a SIEM/SOAR platform.
  5. Beware of a secret sprawl. It’s best to centralize and regulate your key/secret management. A big NO to hardcoding keys in random parts of your code, even if you think they never leave your server.
  6. Be cautious about any 3rd party libraries and integrations your product requires. Supply chain attacks are increasingly concerning. Remember, Open Source ≠ Secure.
  7. While it might not be apparent, code quality does play a role in an app’s security. Automated scanners & linters can help you keep a check on context-specific best practices.
  8. Plan for network/infrastructure security. Set up firewalls and IPS solutions to secure your network services. While a software engineer might not be expected to configure them, ensure that these aspects are taken care of.

--

--

--

An inquisitive Software Engineer & Cybersecurity Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Choose the Right VAPT Services Provider

ORAO: Brick by Brick

Mixture V.2

Cyber Security decoded: understanding threats, vulnerabilities, and information security risks

Univers x Crypto Lab

INTRODUCING THE TAP TOKEN

Incident Report on 22 Feb 2022

Polygon Compensation

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash Ravi

Akash Ravi

An inquisitive Software Engineer & Cybersecurity Enthusiast

More from Medium

Remediating Log4J using osquery: a quick reference guide of tables and actions

Hardening of Kubernetes Cluster with Kubebench

PPE — Poisoned Pipeline Execution

What is a DNS Resolver?