20th April - Security
Lately, I have been reading about securing a web application. I started by getting familiar with PII (Personal Identification Information) and the implications if this data is exposed to the public. The biggest concern we developers and companies have is how do they protect the client’s data. From the top of my head, I remember a few answers for example
1- Encrypt the data
-Minimize its use
3-Restrict its use specific users
4- Evaluate reasons for its use
There are other ways we can protect our client’s data.
Security by obscurity vs security by design
Security by obscurity relies on keeping the internal implementations a secret. In other words, our application is secure as long as the developers and other stakeholders using the projects keep the security mechanism a secret. for example, clicking on certain interfaces several times to login in as admin. However much this concept is used, it is risky and it’s advised against
Security by design
This concerns adopting proven security standards in the application from the start.
Data Security
data is always in 3 phases, REST, TRANSIT, and USE
data at rest refers to the storage of data. data can be stored on the network, devices, and databases.this data can be secured in many ways, for example, encryption, full disk encryption, not storing it on the network if its sensitive, Network control(use of firewalls)
data in transit refers to moving data. this data is highly vulnerable. A few ways of securing it include using HTTPS, Encryption, not transferring it over the network.
data in use. limit the duration of exposure, use security-focused libraries or functions.
Shifting left.
This in simple terms refers to introducing security in the initial stages of the project to prevent defects. This also introduces TDD and BDD.
Security is a crucial part of development, we can rely on the tools out there to help enforce it but we also have to be vigilant in code review sessions, monitoring and updating packages being used, ensuring TDD.