Checking Your Security Isn’t a Once-In-A-While Thing
You have certain obligations when it comes to security; even if you don’t collect giant piles of information about your users, most of the people who use anything you build will assume that their information is private. A security breach, even a minor one, can disrupt the trust your users have in you and and make it harder for your business to grow in the long run. The only way you can prevent that is to take your security seriously.
Think ‘Security Driven Development’
While security-driven development isn’t actually a thing, thinking about security’s place in your development process much the way you think about testing is useful. You want to be checking for security issues throughout the development process, not just when something goes wrong.
Depending on which languages you’re using, there are tools that check your code for bugs that lead to common security issues, like FindBugs for Java. Such tools won’t catch everything, but they’ll help resolve some big issues. Find the right tools and make them a standard part of your workflow.
If you’re working with a partner, code reviews can help find security issues during the development process. If not, you need to find a way to replicate that sort of review system. It can be expensive but, on top of internal review, arranging for regular security audits from an outside firm can keep your systems secure. Just how often depends on what you’re working on: a financial application needs security audits far more regularly than a social networking application.
Knowing Your Tools
Commonly used tools are an easy avenue of attack, because there’s more reason for someone to focus on finding a vulnerability — after all, finding a security vulnerability in Apache guarantees access to a lot more than finding a security vulnerability in some custom app someone wrote on their own.
At a bare minimum, you need to make sure that you hear about any security flaws that are announced, even if you’re working on a platform that usually notifies you of such issues. Subscribe to the appropriate mailing lists and consider setting up some alerts on Google or elsewhere to email you when keywords related to security flaws are mentioned.
Online Security isn’t Your Only Worry
Not all security breaches are an issue of someone finding a vulnerability that they can access online. Think about how many news reports on major security breaches refer to someone leaving their laptop somewhere they shouldn’t have. Physical access to your systems can also be a problem. Depending on what you print out, you may need to consider how to safeguard your hard copy as well.
You don’t have to go overboard with paranoia. But it is important to take the situation seriously. Buy a shredder. Put your backups in a secure location, not in a buddy’s house in another state. Take the steps you need to be sure that your company’s data is safe.
Image by Flickr user m thierry
Posted: February 20, 2013, 5:30 AM