InfoSec from the eyes of an SDE

Ever since I was formally introduced to Computer Science as a college major, I always felt an inclination towards Cyber Security and Software Engineering. Since I believe that being a jack of all trades can be more advantageous than being specialized in one narrow domain, I’ve been making an effort to explore as much as I can, at least within the realm of Computer Science. Nevertheless, these two have continued to remain on my resume as my areas of interest. Before we move any further, I would like to confess that I’m neither a Cyber Security professional, nor an experienced Software Engineer. I’m just a budding engineer with some first-hand experience in both of these domains.

Image Credits: https://portswigger.net/burp/application-security-testing

While my current role involves developing enterprise applications, I have been fortunate to interact with folks working on various aspects of Information Security (Pen-Testing, SOC, IT Architecture, and Auditing). The wide range of perspectives they share has profoundly shaped my view on this domain. Most practices and approaches can be distinguished as offensive or defensive. However, the more we look at the risks that an organization would have to deal with, the scope of cybersecurity can extend beyond technology and processes.

In an interview that I had attended a while ago, I was asked a really generic question on how I would protect a digital asset. I wasn’t given any detail on the type of asset, the context, or the requirement. Within a few seconds, my mind was filled with InfoSec Jargons — CIA, IAM, VAPT, SOC, WAF, and so on. Eventually, I managed to narrow down the question to securing an N-tier application. I explained a few practices used to secure data in various layers of the stack along with some examples. Anyhow, this question got me thinking about the various ways in which such a question could be answered. There is really no complete all-inclusive solution to protect a digital ‘asset’.

With that disclaimer out of the way, these are some guidelines I keep in mind while developing a software product:

1. Always validate any data entering or leaving a module. From data exposure to code injection, most attacks listed on OWASP Top Ten can be mitigated with proper validation mechanisms.
2. Be conscious about where your code would actually run. Critical data (such as keys and credentials) should NEVER be brought to the client’s device.
3. Ensure that authentication and authorization are enforced between every layer. The latter is often overlooked when dealing with heterogeneous systems.
4. Log important transactions. Preferably, integrate it with a SIEM/SOAR platform.
5. Beware of a secret sprawl. It’s best to centralize and regulate your key/secret management. A big NO to hardcoding keys in random parts of your code, even if you think they never leave your server.
6. Be cautious about any 3rd party libraries and integrations your product requires. Supply chain attacks are increasingly concerning. Remember, Open Source ≠ Secure.
7. While it might not be apparent, code quality does play a role in an app’s security. Automated scanners & linters can help you keep a check on context-specific best practices.
8. Plan for network/infrastructure security. Set up firewalls and IPS solutions to secure your network services. While a software engineer might not be expected to configure them, ensure that these aspects are taken care of.

As a DevSecOps practitioner, I reckon that cybersecurity shouldn’t be an afterthought. It needs to be integrated with your development life-cycle. Stakeholders need to be aware of basic principles and ensure that information security is an ‘enabler’ rather than a hindrance. I’m sure that most developers had cursed the default CORS settings on their microservice framework which prevented them from making AJAX calls. While these practices might seem to require unproductive effort, they do contribute to the overall security posture. It might be tempting to ignore certain fringe attack vectors. However, systems should be secure by design, not by assumptions. Adversarial thinking can help you realign defenses.

Regardless of the industry we operate in, it might be a good idea to introspect your org’s risk management strategies and understand your role in the framework. Emerging technologies continue to change the way we operate and interact with customers. Cybersecurity needs to keep pace and it starts with YOU.