October is all about highlighting the needs of security in the modern connected world. I've already read a lot of posts that cover the same ideas and advice. In this post, I'm going to attempt to highlight advice that isn't so obvious and that is, hopefully, more useful for developers.

Clearing the Elephants

OK, maybe I do need to quickly mention the obvious stuff — just to be sure. But, I'll merely scratch the surface. Things like:

• Keep your software up to date. Alternatively, if you want to be extra cautious, read release notes first and then update your software.
• Use a trusted VPN service when you use public Wi-Fi, or all the time — that's up to you.
• Regularly scan your machines for malware; macOS users are not exempt.
• Use a password manager, or if you have a magical brain and can remember them, use multiple secure passwords.
• Use two-factor authentication on at least your essential and most vulnerable services. Don't forget your developer-focused services such as cloud hosting.
• Backup your data, regularly, to multiple places.

Doing all this already? Then, let's move on.

Lock Your Computer

I spend half the week in a coworking space, and I have lost count of the number of times I see people with covers over their cameras for privacy, but who leaves their computer unlocked, sometimes for hours. There is little point in protecting your privacy if you leave your computer open to anyone in the vicinity. Every operating system offers a way to lock a screen with a quick mouse or keyboard shortcut, and with the increasing regularity of fingerprint readers in laptops, unlocking them again is also not a lengthy process.

If you are part of a company in an office, you probably have a security policy for locking screens and a minor penalty for not doing so. For example, one startup I used to work for allowed coworkers to post a David Hasselhoff emoji to Slack if someone left their computer unlocked. This practice leads to good habits and a habit that I now find hard to stop: automatically locking my computer the second I walk away from my desk.

Secrets and Tokens

It's all too easy to allow account information and access tokens to leak out onto the web via repositories or insecure file systems, potentially giving parties undesired levels of access to your systems and data. There are now many tools that provide a better way to propagate such information through your application stack. With services such as GitHub, now even with automatically scanning for potentially leaked information, there's little excuse anymore. Type "secrets management" into the search box above, and you'll find dozens of posts on DZone to get you started on any platform you use.

HTTPS and Encryption

Google is now downgrading listings of any site that doesn't use HTTPS, so it's almost obligatory for your web-facing services to run over HTTPS. Setting up an HTTPS connection is much easier than it used to be, but there are still many myths around the protocol — read this great post to dispel a few. Finally, don't forget about any sensitive data that may be flying back and forth between other services behind public-facing services. That communication should also be over encrypted channels.

Don't Create the Weakest Link

I used to spend a lot of my time implementing and customizing content management systems, and in the heady days of the mid-2000s, Wordpress was known for its vulnerability issues. Maybe they still exist; it's been a while, but often, the vulnerability wasn't Wordpress itself, but components around it. If you have the most up-to-date versions of Wordpress and PHP but use cheap, shared hosting with weak passwords or an overly accessible file system, then your efforts are likely wasted.

Similarly, a large proportion of hacks happen via social engineering and exploiting people, not technology. This subject is broad, but in summary, if something seems too good to be true, or even slightly suspicious, take care.

It's easy for nefarious individuals to exploit a tiny gap in your security armor and gain access to more than you realize, so always review and try to find those small overlooked gaps to test.

Want to Learn More?

DZone has a healthy security channel where you can find a variety of posts on the topic of security. Here's some that I recommend:

• Building for Privacy: a How-to Guide for Application Developers
• Security Monitoring for Enterprises: Top 7 Considerations
• DZone Research: The Future of Security