This article first appeared in issue 235 of .net magazine – the world's best-selling magazine for web designers and developers.
It’s easy to overlook security when developing, but in light of recent high-profile hacking incidents, it’s a big mistake. The social network Formspring, for example, was recently compromised after someone broke into one of its development servers and used that access to extract user account information from a production database. Here are my top 10 tips for defending your development:
1 Implement security measures at the start of your project: it’s much easier to create a solid security foundation from the outset than to bolt-on security features midway through. Don’t simply assume that no one is interested in hacking a new project.
2 Don’t keep live user data in the development environment, use an artificial data generation utility such as GenerateData. These tools use regular expressions and predefined ranges of values to generate realistic, but fake, test data that can be used in place of real user info.
3 Ensure your development environment is up to date: your OS, server software and, not least, your anti-virus and security patches should be kept up-todate to mitigate against the latest vulnerabilities.
4 Lock down ports, restrict development server access to specific IPs and use public/private key authentication where possible. While coffeeshop developing may be popular among your development team, you should ideally avoid the use of public and unsecured wireless networks.
5 Don’t take shortcuts with your backup security. Ensure that checked-in-code and data backups are encrypted and stored in a secure location.
6 Decommissioning should be a part of your development process. If elements of your development infrastructure are no longer required or in use, switch them off and securely delete them. Tools such as Eraser (opens in new tab) and CCleaner (opens in new tab) can be used to fully remove any data imprints from drives.
7 If you’re developing a social element to your app, ideally test it within a closed environment. Use strong, secure, unique passwords for all different test accounts: an employee reusing a password across accounts recently saw Dropbox being compromised.
8 Whether your development infrastructure is a laptop or a complex load-balanced network of app and database servers in the cloud, it needs to be physically secure. It can sometimes be easier to access a physical machine than a remote cloud-based machine, so physically lock down your equipment, lock screens when unattended and encrypt drives. Encryption software such as TrueCrypt and PGP from Symantec are ideal. If your data is stolen, this will ensure it’s useless in the hands of others.
9 If you’re using a hosting environment, ideally choose one that is ISO 27001 accredited – this ensures that it meets international baseline information security management standards of confidentiality, integrity and availability.
10 Finally, use strong, unique passwords across all your development accounts. Passwords should be at least 15 characters long and contain uppercase, lowercase, digits and symbols. Avoid using personal information, common names and sequences, and don’t reuse the same passwords across multiple accounts. Using different passwords across all of your development accounts means that should one account be compromised, your exposure is isolated. Free password management services such as my1login are available to help.
No matter how stressful or time-pressured projects may become, cutting corners on security can end up costing more time and do untold reputational damage should weaknesses be exploited.