DevSec Reminders

18 June

Make it hard to fuck up

“Constructs in programming languages that are difficult to use properly can manifest large numbers of vulnerabilities”
    - wikipedia

Best Practice
Make it hard to write insecure code. 

Just fix it

It’s almost never worth debating how hard it might be to exploit a known weakness. 

Best Practice
Just fix it and make it hard to write insecure code again. 

Attackers know something you don’t

When someone finds an exploit, vulnerability, or risk, believe them. 

Best Practice
Engage in a discussion to learn, then just fix it, and make it hard to write insecure code again. 

Design vulnerabilities are vulnerabilities, too

“Part of the design” means it’s harder to fix, not that it shouldn’t be fixed. 

Best Practice
If it can’t be fixed right away inform users so they can take appropriate measures regardless of whether or not you have solutions.  Include prominent warnings where new users will see them. 

Security is done in layers like an onion. 

“Could be secured” is insecure

Insecure-by-default is always inferior to secure-by-default. 

Best Practice
Build secure-by-default systems, offer the ability to opt-out for very narrow conditions.