Security Mindset for Developers
The most important part of a security training is to develop the mindset of protecting against threats. To do so, we need to follow a key tenet of security:
Think like an attacker
This is difficult for developers, since we focus on making things work. However, this should be part of the lenses we use to look at our code:
- the utility lens: does it do what it should?
- the changeability lens: how easily can we change it in 6 months?
- the usability lens: how easily can a new colleague use the existing code?
- the security lens: how can an attacker exploit it?
Think of these as different hats that you would put on while analyzing, architecting, designing or writing the code and the tests for your code.
So how does an attacker think? We talked about the different phases of a cyber attack, but let’s simplify and talk in specifics:
- attackers will target the weak link in your system, be it software or people
- attackers have a lot of time to probe for weaknesses in your systems
- attackers look for your digital assets
- once an exploit is made, attackers will look at expanding their reach and getting a permanent presence
So how do we think like an attacker? Well, we brainstorm the possible threats and classify them based on probability and impact. To think like an attacker, we formulate them “A potential attacker could [exploit]”. We then figure out how to reorganize our software in order to prevent the top vulnerabilities.
To guide our brainstorm, we will need to be familiar with the most common vulnerabilities today.