My Experience Things You Must Know About Design Choices Sacrificing Software Security


Well-Known Member
When designing software, whether it's for the web or any of the widespread desktop or mobile platforms, a lot of developers fail to consider how their design selections can affect the security of their application.

Some bad design choices are made because of a time limit, or the need to make an app "user-friendly." Some bad design choices come about because the developers just understand the app's security requirements, or because they depend on third-party partners for some of their app's features.

Following are the way to explain how each choice creates security issues, and I'll also explain the ways a software architect can avoid these security drawbacks. Mobile App Development company take cares of following things while designing a mobile app.

  1. You're not using a secure design checklist

When many developers are designing and developing an app, they are working toward developing an app to perform the task at hand. They usually are working against a deadline, and as the project moves forward, security can sometimes become an afterthought, something to address once the app properly performs its designated task.

Never approach software design with security as a secondary requirement, always design the app with security as the primary requirement. Security is about understanding which problems you can do something about, and understanding the issues you can't do anything about. A secure design checklist can help accomplish this.

Microsoft's Patterns and Practices site offers an excellent example of what a secure design checklist should include. While the Redmond firm has "retired" this list, it still makes for an excellent framework for creating your personal design checklist.

  1. You're failing to think like a bad guy

Always keep in mind that no matter what type of app you're developing, someone out there will likely try to hack your code. Whether it's just for fun or for profit, somebody is out to get you. It's also important to stay away from the attitude of "This app is secure, because I develop it, and I can't hack it!" You're just not approaching the code from the (in) correct point of view.

Software security would be stronger if every designer, developer, and manager were more trusting about somebody being "out to get them."

Try to tactic software security with the same mindset that a black hat hacker would. Look at the code you're developing with an eye towards ways the design would make insecurities in your code. That feature you just added to recover the user experience might also increase the hacker experience.

Secure software design is all about guarding against attacks, exploits, and threats. If at all possible, it's a brilliant idea to hire a hacker to check your app for holes. Ask them to really pound your code looking for security holes, and then share how they exploited them.

  1. You're not considering an app's attack surface

Feature creep can be one of the most significant contributors to the insecurity of any mobile app. While it would be great to include each feature you or your customer can think of, always approach features from a security viewpoint before executing any additional features.

For example, while a search feature or a help feature is always suggested for any app, especially web apps, consider requiring a user to be logged in before enabling those features. By limiting a help or search function to authorized users only, you're limiting the overall probability of an attack.

An application's attack can also be increased by using third-party APIs or services. A mobile app is only as secure as your weakest partner's cloud services security or login-related security makes it. If the partners have security holes, your app has security holes.

  1. You're forgetting that small vulnerabilities add up to one big vulnerability

Paying attention to the small security holes in your app, you avoid them from combining to create a hole big enough for a bad guy to drive a truck through.

Small vulnerabilities may not appear important in the big scheme of things, but each insecure "straw" adds weight to your security camel's back. Attackers can get a lot of range out of any security vulnerability, and many have a real talent for chaining enough small vulnerabilities together that they are able to create a remarkable amount of trouble.

Tend to the small security problems as you design and develop your app, and you'll find that you'll be facing a lot less security-related issues down the line.

  1. You're failing to consider future code exploits

Constructing security into your software from the beginning is the best way to guard against possible exploits of which the industry isn't currently aware. The bad guys could even use two features that by themselves don't provide a hack foothold, but by combining they might open a hole.

No application is ever truly "finished." I have yet to develop or maintain any software that hasn't required an update, whether it's to fix bugs, to offer features, or to fix the camel's back. Always build security into every phase of your development, whether it's during initial development, or while performing bug fixes down the line.


White Belt
We had four sets of decisions: manager, security engineer, software engineer, and system architect. ... The only thing you sacrifice is a little bit of flexibility.