Security is a crucial part of building applications and this month's Dev Breakfast is focused on security related topics. This month's newsletter is built by Niko who you might have already seen in our blog or during his Instagram takeover of our Instagram account a few weeks ago.
Niko is a software developer at Futurice working with the maintenance and development of business-critical applications. He advocates code quality and shifting efficient DevSecOps practices left. Earlier in his career, he has also carried out security reviews and testing for e-commerce services. Get to know Niko better by following him on LinkedIn and reading his blog.
The Principle of Least Privilege (PoLP) is a crucial practice in organizational security that grants users the most limited necessary access to resources just when they need it. At Futurice, we too love transparency and trust, but you don't want to give a new hire access to everything under the sun from day one. PoLP also helps when developing secure software. Consider using role-based allow listing, for example, and limit what information your users can read and modify.
For many a developer, static code analysis brings to mind all the sleepless nights fixing code styling to get a pull request accepted. However, it has far more critical use cases like, for example, static analysis security testing (SAST) which prevents vulnerabilities early in the development cycle. Among other great new features, GitHub started supporting this with their new Code Scanning feature which integrates to the pull request workflow through GitHub Actions. Having done plenty of security reviews just by looking at code, I've dreamed of a tool to help in the process, and now I have it.
Most of the time, we read about security from seasoned veterans who often fall into the trap of using a too specific language. It's not fun to learn things when you continuously have to find out what concepts like transport layer security, asymmetric encryption, and cypher suites mean. Let alone mathematicians hitting you in the head with complex encryption formulas. Fortunately, Victoria Drake has got your back with this fundamental primer on TLS in plain English. By the way, if you're into animals and security, check out How HTTPS Works comic as well.
Related to the above, there is a myriad of pitfalls in information security repeated again and again without really thinking whether they are that bad. In this post, Utku Sen argues that security by obscurity is an underrated defence mechanism. Of course, you shouldn't rely on obscurity alone, but why not use it as an additional layer? Never hurts anyone to change the port number of your public SSH instance to something else – just remember to document it for future use!
Feel like reading more? Good! Let's close the topic with a monster list of security tips I guarantee won't leave you hungry. The author claims you can use the resources in this repository to secure medieval castles, art museums, and computer networks to mention but a few. It also works as a nice dictionary if you’re unsure about a specific concept.
DevOps culture is today a reality for many engineering teams. Yet, security practices are still unknown to many. Where to start? How can security be included in our day to day instead of “added” later? A Threat Modelling process is a proven and effective way that can help you transition to DevSecOps.