Opinion: Coding apps to be secure

Hello All,

First and foremost, as unfortunate as the case may be, most developers are not in the practice of developing applications with security in mind. This is not to say that they are bad programmers/coders, because some of these individuals are spectacularly talented however, they have not been trained in security measures and best practices when it comes to making their application as secure as possible (Sethi, 2014). Not to mention the fact that to secure an application to the best of your ability, it will require more time to code and more time to test and anyone being employed by an organization to code apps usually has to deal with a timeframe and time to market because most upper management is concerned with the bottom line now and not concerned with spending the extra time, effort and resources to make the applications as secure as possible even though a data breach resulting from something as simple as bounds checking on input fields [read: buffer overflow by Bright, 2015)] not being performed could wind up putting the organization out of business or damaging its reputation forever. As a cybercommunity (globally as a whole), businesses and individuals alike are slowly (ever so slowly) learning the importance of information security, securing apps/programs, backends/frontends, coding with security in mind because not only is the last generation feeling the effects of vulnerabilities but the younger crowd is starting to become aware of how dangerous it is to be online and what happens when they use apps that are not trusted and even apps that are trusted but fall short of the security aspect even though they don’t quite understand why they got hacked or how their information was stolen and used in identity theft.

Unfortunately, currently as well as in the past, there has always been a tradeoff between security and usability but in my opinion as an upcoming security professional, soon we (the general public as well as organizations) will eventually get tired of the “data breach a day” (not to mention the financial fallout and losing your life savings and identity plus getting your credit ratings destroyed) and really start putting effort into making everything secure. We are at the stage now where we are in transition from when the web was somewhat safer to danger everywhere and it will take another generation to fully understand and adopt new measures for securing applications, databases, information and everything else. This is to include the people that use the web and the people that make things to use on the web. Change is good, but it can’t come soon enough. But it is our personal responsibility (as programmers) to make sure that we can code and create in a manner that does not endanger anyone’s well-being. What some coders do not realize is that we are in control of what happens to other people’s lives. We might not personally experience any ill effects from making an insecure application, but it will be on our conscience all the people that did suffer because we did not take a few extra steps.

            So, in order to secure Node.js applications to the best of our ability there are many items that need to be addressed and its unreal how common sense some of these issues are (or should be to anyone that has enough computer sense to be coding or scripting). The number one rule is to not use any routines/subs that call on deprecated versions of Express or anything else that you are trying to incorporate into your code (Express, n.d.). From my personal Infosec perspective, constantly (within reason) check for updates and keep everything up to date. Old, out of date software is ripe for the picking. At a minimum, make sure your application is operating with Transport Layer Security (TLS) because SSL is old, on its way out and crackable (Express, n.d.). In this day and age, it is an absolute must to use the most secure protocols that we have to date.

*/ BTW there is a serious note to keep in mind. Always remember that

Anything that you make has the possibility to destroy someone’s

Life if you don’t take measures to ensure that your users and their information

Is secure

/*

Another method to secure your Node.js apps is to use some software that combats common vulnerabilities such as Helmet (Express, n.d.). This software can parse your code and identify issues and prompt you to fix the problems relating to the HTTP headers that leave room for issues (read: hacks). These are just a few of the issues, and there are many more to take into consideration when creating an application that individuals are going to use and submit Personally Identifiable Information (PII) or anything else. Privacy and Information Security should be the #1 priority even though it does not always work out like that.

            -WH

References

Bright, P. (2015). How security flaws work: The buffer overflow. Retrieved from https://arstechnica.com/information-technology/2015/08/how-security-flaws-work-the-buffer-overflow/

Express. (n.d.). Production best practices: Security. Retrieved from expressjs.com/en/advanced/best-practice-security.html

Sethi, R. (2014). Why developers build insecure apps. Retrieved from https://www.huffingtonpost.com/rohit-sethi/why-developers-build-inse_b_5549482.html