|
I write a lot about website security. Sometimes I’ll publicly point out flaws in software but there are many, many other times where it remains a private conversation for various reasons. The one common thread across most of these incidents is that as developers, we often make bad security design decisions. It’s us – the organic matter in the software development process – that despite the best of intentions make bad choices that introduce serious risks. The best way to combat risks in software is to educate developers.
|
|
|
|
|
Terrence Dorsey wrote: The best way to combat risks in software is to educate developers.
Judging by recent security problems in the world I think the best course of actions are these:
1. Do not connect factories and nuclear power plants to the internet.
2. Do not store user passwords in plain text (Looking at you Sony)
=====
\ | /
\|/
|
|-----|
| |
|_ |
_) | /
_) __/_
_) ____
| /|
| / |
| |
|-----|
|
=====
===
=
|
|
|
|
|
3. Never link sensitive information to URL's with unrestricted access.
The equivalent of hiding your key under the doormat.
.
|
|
|
|
|
Terrence Dorsey wrote: The best way to combat risks in software is to educate developers management.
Takes time, costs money, and a dev is not a security-expert. Given time and money, quality is a given.
I've never met a project where security was ignored simply because the devs lacked understanding. Heard quite some people say "I'm not sure if this is safe", with the predictable answer that it's safe enough.
until the universe proves otherwise.
|
|
|
|