Skip to main content

10 tips for secure development

This article first appeared in issue 235 of .net magazine – the world's best-selling magazine for web designers and developers.

It’s easy to overlook security when developing, but in light of recent high-profile hacking incidents, it’s a big mistake. The social network Formspring, for example, was recently compromised after someone broke into one of its development servers and used that access to extract user account information from a production database. Here are my top 10 tips for defending your development:

1 Implement security measures at the start of your project: it’s much easier to create a solid security foundation from the outset than to bolt-on security features midway through. Don’t simply assume that no one is interested in hacking a new project.

2 Don’t keep live user data in the development environment, use an artificial data generation utility such as GenerateData. These tools use regular expressions and predefined ranges of values to generate realistic, but fake, test data that can be used in place of real user info.

3 Ensure your development environment is up to date: your OS, server software and, not least, your anti-virus and security patches should be kept up-todate to mitigate against the latest vulnerabilities.

4 Lock down ports, restrict development server access to specific IPs and use public/private key authentication where possible. While coffeeshop developing may be popular among your development team, you should ideally avoid the use of public and unsecured wireless networks.

5 Don’t take shortcuts with your backup security. Ensure that checked-in-code and data backups are encrypted and stored in a secure location.

6 Decommissioning should be a part of your development process. If elements of your development infrastructure are no longer required or in use, switch them off and securely delete them. Tools such as Eraser (opens in new tab) and CCleaner (opens in new tab) can be used to fully remove any data imprints from drives.

7 If you’re developing a social element to your app, ideally test it within a closed environment. Use strong, secure, unique passwords for all different test accounts: an employee reusing a password across accounts recently saw Dropbox being compromised.

8 Whether your development infrastructure is a laptop or a complex load-balanced network of app and database servers in the cloud, it needs to be physically secure. It can sometimes be easier to access a physical machine than a remote cloud-based machine, so physically lock down your equipment, lock screens when unattended and encrypt drives. Encryption software such as TrueCrypt and PGP from Symantec are ideal. If your data is stolen, this will ensure it’s useless in the hands of others.

9 If you’re using a hosting environment, ideally choose one that is ISO 27001 accredited – this ensures that it meets international baseline information security management standards of confidentiality, integrity and availability.

10 Finally, use strong, unique passwords across all your development accounts. Passwords should be at least 15 characters long and contain uppercase, lowercase, digits and symbols. Avoid using personal information, common names and sequences, and don’t reuse the same passwords across multiple accounts. Using different passwords across all of your development accounts means that should one account be compromised, your exposure is isolated. Free password management services such as my1login are available to help.

No matter how stressful or time-pressured projects may become, cutting corners on security can end up costing more time and do untold reputational damage should weaknesses be exploited.

How to build an app! Discover 20 great tutorials at Creative Bloq.

Thank you for reading 5 articles this month* Join now for unlimited access

Enjoy your first month for just £1 / $1 / €1

*Read 5 free articles per month without a subscription

Join now for unlimited access

Try first month for just £1 / $1 / €1

The Creative Bloq team is made up of a group of design fans, and has changed and evolved since Creative Bloq began back in 2012. The current website team consists of six full-time members of staff: Editor Kerrie Hughes, Deputy Editor Rosie Hilder, Deals Editor Beren Neale, Senior News Editor Daniel Piper, Digital Arts and Design Editor Ian Dean, and Staff Writer Amelia Bamsey, as well as a roster of freelancers from around the world. The 3D World and ImagineFX magazine teams also pitch in, ensuring that content from 3D World and ImagineFX is represented on Creative Bloq.