Validating a password protection system
That is, until something goes wrong, until the system you build is compromised, then suddenly security is, and always was, the most important thing.Security is a cross-functional concern a bit like Performance. Like Performance, our business owners often know they need Security, but aren’t always sure how to quantify it.Unlike Performance, they often don’t know “secure enough” when they see it.So how can a developer work in a world of vague security requirements and unknown threats?Modern web development has many challenges, and of those security is both very important and often under-emphasized.While such techniques as threat analysis are increasingly recognized as essential to any serious development, there are also some basic practices which every developer can and should be doing as a matter of course.At the moment his primary focus is on helping improve how security concerns are addressed during the solution delivery lifecycle.Daniel Somerfield Daniel Somerfield is a Technical Lead at Thought Works, where he works with customers building systems that serve their business needs and are fast, flexible, and secure.
Our form handling code has application logic with different behavior depending on those values. We are trusting that downstream logic processes untrusted content correctly. So what can a developer do to minimize the danger that untrusted input will have undesirable effects in application code? Input validation is the process of ensuring input data is consistent with application expectations.
(hint: we might...) Of course, like security, trust is not binary, and we need to assess our risk tolerance, the criticality of our data, and how much we need to invest to feel comfortable with how we have managed our risk.
In order to do that in a disciplined way, we probably need to go through threat and risk modeling processes, but that’s a complicated topic to be addressed in another article.
Of course, you need to write code that fulfills customer functional requirements. Further you are expected to write this code to be comprehensible and extensible: sufficiently flexible to allow for the evolutionary nature of IT demands, but stable and reliable.
You need to be able to lay out a useable interface, optimize a database, and often set up and maintain a delivery pipeline.