Posts: 135 / Nickname: fsommers / Registered: January 19, 2002 7:24 AM
Traits of a Security-Conscious Developer
May 29, 2007 6:30 PM
|
In this installment of JavaOne 2007 interviews, Fortify Software's Barmak Meftah and FindBugs creator Bill Pugh talk about what makes a security-conscious developer, and what developers can do to write more secure code:
http://www.artima.com/lejava/articles/javaone_2007_barmak_meftah.html What have you found to be the single most important step to follow to ensure that you're writing secure code? |
Posts: 5 / Nickname: dewd / Registered: December 18, 2005 9:34 AM
Re: Traits of a Security-Conscious Developer
May 29, 2007 8:00 PM
|
Just try to keep the redundancies low by adopting conventions and façades to avoid extra complexity which might both hide security problems and make it harder to keep track of problematic code to easily fix it when necessary. The conventions and façades need to tackle the security concerns as much as possible, of course. :-)
Also, beware of exposing services on the Internet, even if they are meant to be accessed from your proprietary and difficult to reverse-engineer clients. As much as possible, you can trust only in your server-side code. Unfortunately, thin-clients may help reduce the exposed APIs of your server/client code, despite being poorer than "rich-clients". Finally, once you use code from third parties, you may not be able to control the quality/security of it anymore. Think PHP libraries for instance. So it's up to you to balance your needs. |