I’m new in the area of security. I’ve never really been taught the subject, but as I gain experience, I understand that this is something that we have to keep in mind more and more but we don’t know exactly how to do it. I think a lot of developers are in this position.
After some researching, I came up with a very basic guidelines about how I can code so that the subject of security is addressed in some way or another. I’d really like to know it if this way of doing ensures some degree of quality, or if we need to change some of its aspects:
- We should be backed up by the most reliable Automated Code Review (SAST) Tools like Sonar, Synopsys etc. (open source libraries should be scanned)
- Our focus should be to keep the code fully tested
- Our code should be as simple and readable as we can.
- We should always use as much peer-reviewed and reliable libraries as we can, and not reinvent the wheel.
- We should always use the latest reliable frameworks for our needs.
- We should also follow the basic guidelines for security in our language.
The easiest way to follow these guidelines from my point of view is: As I’m writing the simplest and cleanest code, it is then very easy to check what each function is doing and look in the guidelines at the sections related to the function’s tasks.
The manual security review should be done by security experts, because implemented poorly by regular non-expert devs, it can also do a lot of harm.
Do you think this way of doing is ok? How do you tackle security in your code on a daily basis?