Up next in 10
Top 10 Tips of Architecting Secure-First Software || Code Quality & Performance Virtual Conference
Nov 9, 2023
Top 10 Tips of Architecting Secure-First Software: Software and data security and privacy must be the top priority when architecting a new software system. There are over 1 million new cyber-attacks each days almost every company is a victim of data hacks and cyber attacks. It is software architects and developers, who should think security of data, APIs, and UI from the day 1. In this session, Mahesh will share his top 10 (or more) tips on what you can do to build secure software systems that are bullet proof any hacks.
Conference Website: https://globaltechconferences.com/event/code-quality-performance-virtual-conference-2021/
C# Corner - Community of Software and Data Developers: https://www.c-sharpcorner.com
C# Live - Dev Streaming Destination: https://csharp.live
#Security #Architecture #Software #virtualconference
Show More Show Less View Video Transcript
0:00
First of all, I want to thank David for organizing this conference
0:09
It's kind of unique, just focused on quality, right? Good quality and performance, which is a big thing, actually, if you're writing software
0:21
and if you don't keep in mind the quality and performance, it's a problem
0:27
It's a problem in the long run. So in this session, however, it's a little different
0:31
I want to talk about security, right? Security. And I turn my call in the secure first software
0:38
You know, you probably heard other, you know, you know, cloud first and so on and so forth
0:43
But this is secure first means what it is. I will in the session, I'll talk about what secure first is
0:48
And when you are either a software developer, you're a front end developer, back end developer, you're an architect lead or even a full stack developer or a database BBA
0:58
or data you know database developer doesn't matter whoever you are the goal here is like
1:04
how to build the secure for software um so simon is going to drive me uh somebody who doesn't know
1:12
my name is mahesh chand i'm founder of c sharp corner i run a company minecraper inc here and
1:18
i have been running this company minecracker inc is a software consulting for past 20 years or so
1:23
So all these experiences I'm going to share is based on what we learned from when we build
1:28
new software for our clients and somehow for ourselves. So when you think of a software security, right, when you are, let's say you're a software
1:40
developer and you're building a software, our client comes to you or your manager comes
1:44
to you, hey, we have this new application we need to build
1:48
Most often you don't think about security. You look at the UI, you look at the requirements, you look at, okay, what kind of backend database
1:56
we need. However, you don't really spend too much time on security on day one when you are designing
2:02
and architecting software. And that's really, I want to talk about today is that software security is not just a job
2:09
of IT people. Okay. That's one thing sometimes people really kind of think of is that, oh, it's a security
2:17
It's probably the security team will handle that. their job but that's not how we have to think no matter if you are a front-end your back-end or
2:25
even writing apis you're working on databases or you're managing your servers and networks
2:31
everywhere you have to think of security and you would say why do i need to think about worry about
2:37
security these days because there are more than 1 million hacks every day not hacks at least attacks
2:44
cyber attacks there are more than 1 million cyber attacks every day coming from different parts of
2:50
the world so i don't know if you hear these news but they're always okay you know today's twitter
2:56
account got hacked twitter database got hacked you know facebook got hacked you know target got
3:01
hacked all these financial services are getting hacked why are they getting hacked because there
3:07
are not enough security you know measures in these softwares when they were built and not just from
3:13
the backend side not just from the hardware side but also from the software side
3:22
this session is for everybody it's not just for uh you know software developer it's basically
3:27
from you your front-end developer your back-end developer you're an architect your lead
3:32
or even your data you know everybody at least there are some tips in here and again this
3:38
because we're gonna you know shorten this for 30 minutes so i'm just gonna go run through these
3:43
tips if you want to know more details on these tips there are certain articles on c-sharp corner
3:49
or there are some references as well in this document uh if you need this slide i will share
3:55
this slide simon you know reach out to simon he can share the slide with you uh so let's think
4:01
about the security first design principle and one more thing i forgot is please please please let
4:07
us know let us know what you're thinking about this conference are you enjoying it what is your
4:13
feedback because we may end up doing this every year. David would probably love to do this once
4:18
in a year. Any feedback you have for us, for David, for Simon, what else you would like to see in this
4:25
conference? Did you learn anything from it? Post your comments, share your comments, win some prizes
4:33
But definitely, you know, give us feedback because without the feedback, it's hard for us as, you know
4:39
speakers or even organizers know that are we doing these conferences is even worth doing it right so
4:46
more feedback we have better this so all right so let's get back to my this session security first
4:53
design principle so what does that mean really that means when you are architecting a new software
4:59
application it doesn't matter it's a web application is in a mobile application it is
5:04
even a client application or it's an enterprise-wide system or even it's it
5:09
doesn't matter what kind of software you're building when you are designing
5:13
architecture phase you're sitting down and designing with architects or you know
5:17
your leads and you know working with it that time you also have to think about
5:21
the security you cannot just say oh we'll think about security later that's
5:26
not how you should be thinking in today's world in design first principle
5:33
everyone in the team has to include in these security discussions. It's just not software developers. It's just not DevOps
5:41
It's just not IT people. Everybody, everyone in the team, front-end developers, back-end developers, architects, DevOps
5:49
engineers and testers, IT, whoever is managing the servers, they all have to sit down and work on this together
5:59
This is not just one person's job. So that's what really security first design principle means
6:07
Also, it's very important if you read latest blogs from, say, Microsoft or these companies, you will always see there's more updates coming
6:18
Every time you see a new framework updated, every time, say, Microsoft updates dotnet framework, there may be some changes related to security, related to authentication, related to authorization
6:27
you have to keep up to date with your dad it's not it's just not like oh I know already how to
6:33
do this in previous version because security changing very frequently because passes are
6:38
coming up a lot of things change there so make sure you keep up to date with those
6:43
so let's look at some of these tips so and again in my in my title it says top 10 tips but it's
6:55
more than actually top 10 because what I did is I end up separating these for the
7:01
front-end, back-end and server and so on so forth. So these are some of the tips
7:05
I will run through and obviously you know I can go through all in details because each of these tips really a one session on itself um so if you want to learn more there there separate articles on c corner in you know
7:21
everywhere on the web if you search for example how to you know implement https in a website
7:28
uh you can just find a lot of articles on that so i'm not really going to explain in the detail
7:33
but I will just go through these tips. If you have any questions related to these topics here I'm mentioning
7:41
just let me know, just post questions. We're going to have at least five minutes in the end to take some questions
7:48
Hopefully, I'm not going too fast. David, you good? Simon, you think I'm good
7:57
All right, looks like I'm good because no answer is a good answer, right? So first thing is make sure every website, if you're building a web system, public website
8:08
or even, yeah, make sure it's HTTPS. That's the first requirement these days
8:12
All browsers, if your website is not HTTPS, some of web browsers actually not is going
8:18
to show you. They already, Google already announced that Chrome is not going to display your website
8:26
if it's not HTTPS. In HTTPS, what it does is really when a client, a person visits your website, let's say they type in the browser your website URL
8:37
If it's HTTPS, what happens is that the data being sent from the server to the client is now secure encrypted
8:45
So that kind of is one of the very, very basic feature you can implement to make your website secure
8:53
If you have an API, for example, don't keep it HTTP. Make it HTTPS
8:57
it's not really hard it literally takes i would say less than you know two hours to enable and
9:04
make your website or your api um https that's a lot of articles out there and it's free too you
9:11
don't need to even pay there's you know there's certificates they're free uh so that's what one
9:17
thing you uh you can do that now second thing start with that is i always you know i talk to
9:25
developers we start a new project and i go and you know for code reviews and audits i'll go and i'll
9:30
ask developers like hey is your connection string secure we're like no we will come back later right
9:37
now it's just in config file or oh right now we have a connection string variable in our code
9:43
and that shows everything what the server name is user id password database name everything is there
9:48
I understand you can go and fix that later, but that's not what secure first design principle is
9:56
Secure first design principle is that from the day one, you have to make those secure
10:01
You have to make sure all your connection strings and your login credentials, they're not in plain text anywhere in your config files, in your app settings, in your code
10:12
That's rule number one. because I know how developers think and you know that we will do it later we will do it later and
10:21
later may not come now right this happens all the time number three you got to enforce complex
10:27
password and with rules right this is very important if you look at the history if you
10:32
look at all the data coming from hacking like bank passwords have bank accounts hacked in
10:39
And the reason they're saying is that most people have these simple passwords
10:44
You know what is the most common password is? Anybody? If anybody can answer what is the most common password used in the world, they will win
10:54
Let's say what? I would say we'll give away 100 strikes to them
10:59
100 strikes is worth probably $115, $120, $30. dollars so if you can tell me what is the simplest password in the world which most people use
11:12
uh you will win this uh 100 stress i will answer this later if i don't see that
11:20
yes like keep those coming um you will be surprised i one one of my articles actually i
11:26
made on this article on c-sharp corner i wrote i made a list of i think top 20 passwords and you'll
11:33
be surprised even like some u.s senators their passwords like very common which is default
11:39
password also let me ask you this how many times you guys let's say your email is created by your
11:46
admin how many times do you go and change that password unless it's not enforced right think
11:51
about that that's where most hacks comes is so when you are building a new web page and login
11:57
functionality in it make sure from the day one you enforce these complex password rules
12:05
if you have a server make sure you have policy that every 30 days or 90 days password has to be
12:13
changed right if you have let's say number four let's go to number four if you have a form where
12:19
you're asking the data email somebody wants to contact you and all that make
12:22
sure you disable bots because that's another way bots are checking your
12:27
emails they they will send you this some kind of message on your website and
12:32
that will have a link in there and people somebody is gonna click on that link to just see and boom so these are some things as software developers these
12:41
are our responses when we are building these when we are building this you know
12:45
So software, this is our job to keep this in mind. And make sure you have number five is industry standard authentication authorization
12:55
So don't just use what you've been doing for so long. Make sure you also update yourself, see any change done in .NET framework for authentication authorization
13:04
And there's changes all the time. If you look at every year new version comes out, there are some changes
13:11
Look at number six, don't expose code, right? So I have also seen that JavaScript files from time to time
13:17
Code is there. Everything is there. If you look at the JavaScript file, you can literally see everything
13:22
So try not to put everything on client's side. Number seven, implement
13:28
Acceptable handling has to be thorough. That should be from day one, right
13:33
And then don't rely on server security. As a software developer, you cannot say that, oh, my IT or servers are secure
13:41
We are good. Sometimes, you know, I hear what I hear from people. I hear is that, oh, this is just an internet-based application
13:47
So we don't really worry about security because only people in the company are going to exit
13:53
Yes, agree. But it doesn't mean that you cannot implement security on the front end, right
14:00
Imagine in your house. When you think of security, think of this your house, right
14:04
In your house, you have a safe, which is locked. and then you have money inside that, your money, your gold, your watch and everything
14:12
in your safe. And you say, oh, my safe is locked. So let me leave my door open
14:19
You think that's a good idea? So front end is your door. Front end is the door of your house You cannot leave the front end open so thieves can come in walk in and go to the safe and steal In this case it data So you have to think this is our responsibility as software developers frontend developers
14:37
to make sure that these points are discussed in our design and architecture meetings
14:44
I hope you guys are learning something. Let me know your comments. Oh, by the way, I'm still waiting for, let me see, password
14:50
No, I don't see the password which is most commonly used by most people
14:57
Yeah, but I'll tell you right now, it's called password123. Password123 is the most common password in the world
15:07
So that's the answer. So we just talked about the front-end security
15:13
So if you are a software developer, front-end developer, You cannot just say that, oh, oh, I just need to build the UI
15:22
I'm not worried about security. This is not my job. There's an IT guy, there's security team
15:27
They're going to come back and look at that because security IT guys don't think on software terms
15:32
They think if their server is secure, their network is secure, they think everything is secure
15:36
But do you really know that 62% of hacking is done through front ends, not from the back
15:43
end, not from the servers, from the front end? That means the door of your house
15:48
You cannot leave your door open. You know, that's important part. Yeah, thank you, Joe, for comments
15:54
Yes. Password one, two, three. There you go. It's not even at the rate, actually
16:01
It's a password one, two, three without at the rate. That's one of the most common
16:06
All right. So that was, so you just saw the front end security
16:10
So if you are responsible for building the front end, you have to keep those things in mind
16:15
You know, I can add 10 more things to that, but that's the minimum thing. If you take care of those minimum things
16:21
automatically your software is more secure than it was before. And these are not hard to do
16:26
That's the good part. All these things we just saw earlier, they're not hard to do
16:31
Code is already there. Functionality is already there. All you have to do is make sure
16:35
you have in your checkbox, in the, yes, we did this. Yes, check, check, check, check, check
16:41
Once you do that, your software is already way secure than it was before. All right, so now we talked about front end. Let's go to data security
16:52
So data security also, again, it's not just DBAs, it's also a job of developers, right? A lot of us
16:57
a lot of us, we work on database as well, right? If you are a backend developer or you are a full
17:03
stack developer, you know, we end up doing all the work. We end up creating database tables
17:07
we create a store procs, we also work with the data drag, right? DBAs are great, they will
17:13
initially will have but in most cases in some large corporations dbas do control the database
17:19
but if you are a dba or a developer working with the databases there are some things you also need
17:24
to keep in mind uh number one encrypt sensitive data from day one i have seen again and again and
17:33
again the most systems are hacked because databases store the emails the password the logins the
17:40
credit card they're all plain text uh if you're using any of the latest databases sql server or
17:47
it doesn't matter whichever as long as you have the one of the later latest versions they have
17:52
these features where it can automatically encrypt those columns and it decrypt automatically there's
17:58
not much overhead okay it's not it's not gonna affect performance much you won't even notice
18:03
it those features are already there okay so yeah and it's all there it's all there all we have to
18:12
do is make sure it's implemented or in it's like enabled right they even suggest that you know
18:19
i just saw other day sql server announced sql server team announced sql ledger
18:25
sql ledger is a pretty much a block chain on in sql server it's not a chain but at least it's the
18:31
same it's a it's basically a it it's an immutable database let's just say that immutable means
18:38
once it's written nobody can go and change it so if somebody hacker goes and try to change the data
18:44
they can do that so the point i'm making here is that the the functionality is there the feature
18:49
is there you just have to go and look at it and make sure it's enabled make sure it's implemented
18:56
if you are using sql queries or you know it makes sure it's there it's done implemented there
19:03
uh number two sql injections let's look at that 62 of cyber attacks i looked i did research on
19:09
that the 62 of cyber attacks are done through sql injections so you know that's kind of thing you
19:15
have to make sure and number three embedded i still see some people writing queries in their
19:21
html javascript files and putting all there that's the bad way to do it you do not want to expose
19:27
your database column names or anything in in the front-end side or client side server side okay sure
19:33
maybe i still don't recommend sql at all personally if you ask me i'm not a big fan of putting sql and
19:39
kill it should not be there at all um and we just talked about number four the sql immutable ledger
19:46
Number five, yes, this is very important. This is very important. Do not, when you are creating new database, database objects like tables
19:57
or props, by default, it should be read-only. Okay. It should be read-only access, and it should be minimum access to the users
20:06
when you are creating those roles. Only admin should have more control over the things, right
20:11
But let's just say you have an application that's going to read and write
20:15
and update and all that. Then you just create a separate application user
20:20
and you have to see what functionality. Sometimes one user may just need access to three tables
20:27
So you have to figure that out, but you have to make sure you look at the right roles
20:30
right permissions. And by default, they should be the minimum access required
20:36
That should be the default. It shouldn't be default like make admin, admin, admin. Sometimes what developers do is, or non-DBAs
20:42
they end up doing it like, you know what? I'm not going to come to this. let's give them admin access to everything so that's a bad way to do that that's definitely
20:50
you do not want to do that um so yeah let those comments come in that's exactly yeah joe said dos
20:58
those attacks are nasty yeah you're right and then that's where history tells us we should learn from
21:03
history um uh there is a question how to overcome from malware attacks you know i have written
21:09
actually a perfect article on that on c-sharp corner maybe simon can find it and share that
21:15
uh it says how to keep your data you know secure i did a lot of research and i wrote a detailed
21:22
article on that um but i'll take this question in the end so let's move to our next screen so we
21:29
just talk about the front end we just talk about the data now if you are working on a back-end code
21:35
or APIs there definitely you need to also think about security You cannot just say ah my database guys are taking up database my front end guys taking my front end So I good You need to think about security as well
21:50
Right. So here are nine tips here. Secure API APIs. You have to figure out the latest technology
21:58
If you're using token based authentication, whichever it is, make sure it's secure
22:02
Obviously, it has to be HTTPS. Rule number one. I talked in my previous slide, right
22:08
You have to definitely separate read-only and write APIs if you can. I know developers love, you know, creating just one single API, you know, call
22:17
and that's where you can do all that. That's great, but you have to look at it. Is it going to impact
22:22
Is there a security problems with this? If that's the case, you have to fix those holes, right
22:28
Definitely do not store sensitive data and plain text. do not also input parameters and user validations are important that's very important sometimes input
22:38
parameters and user validations are important and what I'm seeing on our C-sharp corner on forums
22:44
we don't have I mean I'm telling everybody what to do but even on C-sharp corner we don't have
22:49
some of these user validation input parameters sometimes people can just type ABCD and that
22:55
would be the title of the of the forum sometimes they can start so on point I'm making is that
23:00
that even though these are little things, but they should be part of our day one design, right
23:07
Let's look at number five, implement logging and capture exceptions. That's very common, right
23:13
Passwords, if you are storing password and passing through, you know, hashing is the best way to do it
23:20
because good thing is hashing nobody can read it and nobody can find it for your password is, right
23:26
Only the only user can change it. And these days passwords you see these days also the double multi authentication, right
23:34
You can implement all those as well. Number seven, never export sensitive data and URLs, right
23:40
This is not always I've seen. Sometimes you will see, okay, in my URL, I can see the ID in there
23:47
Sometimes you can see the, you know, bunch of data. That's just to not pass that if it's any sensitive data
23:54
I'm not a big fan of URL, too much data being passed in URL anyway
23:59
It also makes sure you aren't too long. Yeah, implement latest industry standards
24:04
There's so many tools out there, third parties for being used for this authentication
24:09
If your company is implementing that, see, look at those, right? Most large corporations, they use one of those services
24:19
So if you are using that, that's great. If you're not, even you don't want to use that, that's fine
24:24
make sure make sure you look at microsoft or whatever technology you're using for latest
24:30
security guidelines right there's there's always guidelines released by microsoft google whichever
24:36
technology you're using right so make sure you read those these are important and this is not
24:41
just for security team this is not for somebody called it security okay that's different i'm
24:48
talking about software developers. So software developers also need to become at least these
24:55
security experts considering these points. If there are requests timestamps also helps
25:03
because then you can easily audit and track things like that. So that will also help. Now
25:08
you want more details on that. There's a detailed articles on each of these topics on C Sharp Ponder
25:13
Again, as I said, if I start talking each of these, each of this is pretty much one session on these topics
25:21
I just want to make sure I cover these. So when you take a screenshot of this or you download, then you can go and read these details
25:28
how to implement, depending on what kind of API you're building. Are you building API in USP.NET Core
25:33
And yes, it's different. So you have to look at how you are going to use these tips in your software when you're building
25:43
Now, this is the last one, server security. Server security is more for the IT people, right
25:50
This is not for software developers, but that's where IT people will work with, say, architects
25:56
and lead developers to set these. That's how you manage servers, right
26:00
Make sure. We got hacked actually last year just because our hosting company did not have the latest patches
26:10
C-sharp corner got hacked and we were hosting with the Rackspace and we got hacked with this
26:18
this WannaCry ransomware which asked for Bitcoins because this came in 2017
26:26
That means they have not updated some of our servers for that long. Server means operating
26:31
system. I'm not talking about the software, I'm talking about operating system. So security updates
26:37
and patches that's what it teams they do already i'm not saying you are going to do that this is
26:42
not as a software developer's job this is mostly it teams um but when you are in the meetings when
26:49
you are designing the software secure first approach design principle you're going to put
26:54
these points and make sure it team is also on the same page firewall and port security that's by
27:00
default everybody every company does that separate environment for that qa prod that's pretty
27:05
trender there's nothing you know new here separate hard drives this is very important number four
27:13
right separate hard drives for web versus storage versus permissions on those hard drives so sometimes
27:21
you have this website where this website may also have people upload files if they're uploading files
27:29
this should be going totally on different drive where just in case something goes wrong it does
27:33
not affect your website does it not affect your database and again i'm running out of time here
27:40
but we can still quick run through these disable any script scripting and write permissions should
27:44
not be on any hard drive by default only limited number of access yes by default should be the
27:50
limited number of access uh separate databases in web servers definitely monitor apps logs so this
27:57
again this is more like the IT people implement again do regular third-party audits and make sure
28:04
update yourself with latest you know changes in that operating system or securing passes
28:10
microsoft release security passes every week i can tell you that's the fastest thing they release so
28:17
that's something to look for and these are some of the references if you like to have this again this slide I will make sure
28:28
Simon has access to that he can share the slide with you but if you keep those some 20 some points
28:34
25 27 points in mind when you are designing a new software I bet your software is going to be much
28:41
more secure than without these
#Hacking & Cracking
#Public Safety
#Security Products & Services
#Antivirus & Malware
#Network Security