Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How Devs Can Improve Security (Part 3)

DZone 's Guide to

How Devs Can Improve Security (Part 3)

Additional suggestions include authorization, access, and understanding users' needs.

· Security Zone ·
Free Resource

To understand the current and future state of the cybersecurity landscape we spoke to and received written responses from 50 security professionals. We asked them, "What suggestions do you have for developers to improve the security of their applications and data?"

In part one, we learned that secure development practices, audits/scans/tests, and education/best practices were the top three things developers could do to improve security. In part two, our respondents suggested using the right tools, using REST APIs, partnering with security, and following proper governance. Here are all the other suggestions:

Other

  • Ensure only authorized users have access to your sensitive applications and data by requiring users to use a second factor of authentication. If your product can’t support this, partner with a solution that can seamlessly add this requirement without requiring any changes. Such solutions are becoming available now and can help ensure the proper use of your sensitive applications and data.
  • Security automation is the key to the future of DevOps and can accelerate security within the Agile process.
  • With the understanding that security is essential for application trust and adoption, manufacturers are faced with a choice: attempt to harden security in-house, device by device, for the entire lifecycle of every product, or, offload the bulk of security onto the network that transmits data to and from their devices. We believe it is advantageous to shift as much of the security burden onto the network as possible.

    Doing so will decrease time to market for new devices and apps, increase user adoption, and lower the ongoing risk of securing 50 billion new devices that will be connected to the Internet. App developers, IoT manufacturers, and new products can choose to reinvent the wheel, or they can leverage a secure, global data stream network and take advantage of the massive economies that scaling such a service can offer.  
  • Code quality is important. Run tools are essential to have good code. However, that alone is not enough. Developers need to think like an adversary. Understand what the application is going to do and think about how an adversary may use it. Don’t have default passwords. Think about how components in your environment connect with another component in another environment. Keep it as simple as possible. Fix vulnerabilities and understand open source and dependences. Think about the bigger picture.
  • App development, particularly in the area of security, needs to be built with better UI’s that have layers of abstraction and turn really complex security features and requirements into something that’s easier to interact with and understand. The best applications will be those who find the right way to engage with users and provide the right layer of abstraction to simplify complexity. Think about and understand the markets you are serving. Enterprise solutions don’t translate to a site-by-site solution. When you try to squeeze down an enterprise solution into a small market, it gets expensive. You need different solutions based on the needs and nuances of the industry.
  • Just as you take the point of view of the user into account when designing data flows, interfaces, and architecture, so you should with security. Ask yourself, “If I was the user, what security would I want at this point? What about this point? And what about this point?” You can go further and survey the pulse of the general public, as well as targeted customers/prospects. What sort of security experience do they wish to have? These are the kinds of questions that are just as vital as the workload itself.
  • Develop applications and operate with a model that assumes that your environments aren’t secure. Use short-lived secrets, encrypt data in flight and at rest, and control who has access to which infrastructure, systems of record, etc.

This is the third of three articles which share what IT professionals thought developers could be doing to improve the security of their code and applications. Be sure to take a look at Part 1 and Part 2 for more suggestions.

Here’s who shared their insights:

Topics:
security ,secure development ,authorization ,user needs ,access

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}