5 Ways Your Design Choices Could Be Sacrificing Software Security
When designing software, whether it's for the web or any of the popular desktop or mobile platforms, many developers fail to consider how their design choices can affect the security of their application.
Some bad design choices are made because of deadlines, or the need to make an app "user-friendly." Some bad design choices come about because the developers simply understand the app's security requirements, or because they're relying on third-party partners for some of their app's features.
In this article, I'll share five ways that many developers' design choices sacrifice software security. I'll explain how each choice creates security issues, and I'll also explain the ways a software architect can avoid these security pitfalls.
1. You're failing to think like a bad guy
Always keep in mind that no matter what type of app you're creating, someone out there will likely try to hack your code. Whether it's just for fun or for profit, somebody is out to get you. Put yourself in their shoes. It's also important to stay away from the mindset of "This app is secure, because I built it, and I can't hack it!" You're just not approaching the code from the (in)correct point of view.
In the world of global computing software security is something to be paranoid about. Software security would be stronger if every designer, developer, and manager were more paranoid about somebody being "out to get them."
Try to approach software security with the same mindset that a black hat hacker would. Look at the code you're developing with an eye towards ways the design would create insecurities in your code. That feature you just added to improve the user experience might also enhance the hacker experience.
Secure software design is all about protecting against attacks, exploits, and threats. I'll admit, it's tough for most developers to force themselves to think like a bad guy. If at all possible, it's an excellent idea to hire a hacker to check your app for holes. Ask them to really pound your code looking for security holes, and then share how they exploited them. Next, plug the hole and then let the hacker take another crack at it.
2. You're not using a secure design checklist
When many developers are designing and developing an app, they are working toward creating an app to perform the task at hand. They usually are working against a deadline, and as the project moves forward, security can sometimes become an afterthought, something to address once the app properly performs its designated task.
Never approach software design with security as a secondary requirement, always design the app with security as the primary requirement. Security is about understanding which problems you can do something about, and understanding the issues you can't do anything about. A secure design checklist can help accomplish this.
Microsoft's Patterns and Practices site offers an excellent example of what a secure design checklist should include. While the Redmond firm has "retired" this list, it still makes for an excellent framework for creating your personal design checklist.
3. You're forgetting that small vulnerabilities add up to one big vulnerability
You've likely heard the proverb about "the straw that broke the camel's back," which tells the tale about the cumulative effect of seemingly minor actions that eventually add up to a major problem. By paying attention to the small security holes in your app, you prevent them from combining to create a hole big enough for a bad guy to drive a truck through.
Small vulnerabilities may not seem important in the big scheme of things, but each insecure "straw" adds weight to your security camel's back. Attackers can get a lot of mileage out of any security vulnerability, and many have a real talent for chaining enough small vulnerabilities together that they are able to create an impressive amount of trouble.
Tend to the small security issues as you design and develop your app, and you'll find that you'll be facing a lot less security-related issues down the line.
Related article: Bugs, Fixes and Free Cheese
4. You're not considering an app's attack surface
Feature creep can be one of the most significant contributors to the insecurity of any app. While it would be great to include every feature you or your customer can think of, always approach features from a security viewpoint before implementing any additional features.
For example, while a search feature or a help feature is always recommended for any app, especially web apps, consider requiring a user to be logged in before enabling those features. By limiting a help or search function to authorized users only, you're limiting the overall likelihood of an attack.
An application's attack surface can also be increased by using third-party APIs or services. An app is only as secure as your weakest partner's cloud services security or login-related security makes it. If the partners have security holes, your app has security holes. An excellent example of this is the recent security lapse discovered on a Voxox server that put a massive amount of user information at risk.
5. You're failing to consider future code exploits
Building security into your software from the beginning is the best way to guard against possible exploits of which the industry isn't currently aware. The bad guys could even use two features that by themselves don't provide a hack foothold, but by combining them might open a hole.
No application is ever truly "finished." I have yet to develop or maintain any software that hasn't required an update, whether it's to fix bugs, to provide features, or to fix the camel's back. Always build security into every stage of your development, whether it's during initial development, or while performing bug fixes down the line.
Regardless of what type of software you're designing, or which platform you're developing an app for, security should always be a primary consideration. By always considering security issues as you design and create your software, you'll stay one step ahead of the bad guys in the cat-and-mouse game called software security.
This is a guest post by Bill from Pixel Privacy. Whether it be one of our in-depth guides or our expertly crafted "how-to" articles, we're here to show you how to stay safe online. We believe everyone has the power to keep their data secure, no matter what your level of tech expertise is and our site will show you how!