Security, do I need to consider it as a consultant?

Tuesday, November 14, 2017

Devoxx is over and it was overall a good edition.
A lot of talks about AI and Kotlin, but this year I focussed myself on security.
The reason why is that as a full stack developer, I do some security work like url permissions in Spring,

In all the projects I've done you start from an archetype where the security is already done, with Single Sign On, or you work on an existing project, where all the security work is already done. 

But is that true?

As I was watching some talks, some things lingered and actually did change my mind about some coding styles.
The talk I loved the most was the talk of Blue Team Security Actual Security work for Actual Developers by Siren Hofvander.
Not because she is a woman, or she invites us to Sweden for free beer, pizza and tea, but for giving a simple comprehensive talk with some humour in it.
The most boring important thing she has talked about:

Simple input validation

  • I do check a lot of null’s but do we check our input more than that?
  • Who checks for exotic characters if you are sure they will never be inserted?
  • Who checks for escaped characters like new line, tab space, … or html codes?

Well, I can say, I don’t do that yet.
But when we do check it, about 98% of hackings could be avoided.

Yes that much, and what time does it costs us?
A lot of time to change the whole backend to a nice input validated model.
But we can write a utility class for the most common scenarios.
It takes some extra time, but we have a base and, more important, it's easy to use.
So the next step is to add this to our backend.
You don’t need to do all at once.
Consider it more like when you need to change a class for refactoring or updating some code,
add your checks to it.
That way you will rebuild your model over time, making a solid wall brick by brick, and more important, you can combine the boring work with real fun work, making it not so hard.
Like this your whole application should get more secured, of course over a longer term, but still with minimal changes or time waste

Now it’s up to us,
I know I’ll google some example classes for this so I can make a decent Utility class.
I hope you do too and I invite every reader to comment below with sharing locations of potential Utility classes.
Just because sharing is caring.


Filip Cossaer