Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

What every developer should do before they start writing code

I talk a lot about finding and fixing vulnerabilities on my blog. But what can you do to prevent vulnerabilities way before they happen? Today, let’s talk about the first step you can take towards a more secure application.

A lot of times we think of fixing vulnerabilities as this sort of whack-a-mole operation, where if we find vulnerability, or if someone reports a vulnerability, we’ll fix it.

But a lot of vulnerabilities can actually be systematically prevented by designing and planning your application in a secure way.

The first step in securing an application is therefore identifying the different requirements of your application and make sure that you plan for these features in a secure way. Let’s say that you are building a messaging app, what are your application requirements?

This is a messaging app, so you’ll probably need a way to:

  • let users submit private messages,
  • store and transport these messages,
  • authenticate users and store users’ personal information, like email addresses and friends lists,
  • and determine which users are able to access which messages.

Understanding what you need to build your application will inform you what data you are protecting and what kind of security considerations you’ll have while you are writing code.

For instance, in this case, you need to pick a secure way to authenticate users. Are you going to use a simple email and password setup? Are you going to use OAuth? And are you going to implement MFA for extra security? What would be the safest way to implement authentication in your context?

You might also need to store user passwords, and that means selecting a secure hashing algorithm so that you don’t store the passwords in plain text, and deciding on a secure location to store this data. Are you going to implement that yourself? Or outsource it to products that specialize in data storage? What are the pros and cons of these options? What is the safest way to store passwords based on your needs?

The cost of fixing vulnerabilities is way lower if you do it early, because if you can choose the right implementation and dependencies to use at this point, you can prevent a lot of vulnerabilities naturally. Deep rooted security flaws like insecure data storage or bad authentication are very hard to fix once you start developing the application, because if you want to change a highly integrated component, you might need to change a lot of other parts of your code too. So, it’s easier to get security right with planning before you start coding.

Thanks for reading! What is the most challenging part of developing secure software for you? I’d love to know. Feel free to connect on Twitter @vickieli7.

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share