To any developer writing secure code should be natural to them, but in reality it isn’t. As developers security should start taking a bigger role in your design process. No matter how great a site is, without proper security protection, the site is useless. There are four simple rules you can follow to secure your site better, and are easy to make a habit when designing.
1. Use Built-in Functions
If the language you are using has a built in function, use it. Built-in functions have been tried and tested against security measures. If there are any security holes found in the functions they are updated on a routine basis. If you code a function yourself, it may have even more security holes which you don’t intend or see when coding. By using built-in functions, you also have the programming community itself who gives feedback to the language developers, so in theory you are multiplying your testing by using a built-in function.
2. Know Where Variables Are Coming From and Going To
Knowing where variables are coming from really helps with security. Data coming from a database should be handled completely different than something coming from a remote input, like a user. In the same mind set, knowing where your variables are going is just important. As with variable inputs, variable outputs are handled differently also. If you have a user input their name into a forum, when displaying that variable to the them is completely different then if you are doing a query to a database with the same variable.
3. Sanitize All Inputs
Web development today is completely different than it was in the 90’s. With the evolution of web 2.0, sites have became more interactive, and more interconnected. These aspect of web design allow us to do amazing things, such as using APIs, but at the same time that opens up a whole new world of security related bugs for a developer. In order to reduce these bugs, all input should be sanitized no matter what the source is. Even trusted sources may have issues, which can effect your site. Say if a site’s design requires interaction with another site’s RSS feed, the third-party’s RSS feed may have a character which compromises your site’s security.
4. Control The Codes Variables
Variables by nature can’t be completely controlled, but you can have aspects to control them. There are certain parts of variables we can check. If there is a form on your site that request the user to put in an email address, then check that the input meets certain requirements. In this case, we would want to make for sure that the user includes the at (@) sign, and at least on period after the at sign. If either of those requirements aren’t meet, then we want to direct the user to re-enter their email address.
As the web starts to evolve and the languages used to develop sites get more powerful, security will become a bigger concern. The tips above won’t make your site completely secure, but it is better than no security at all.