Web App Security Part 3: The SmartLogic Process
This is the last in a 3-post series on web application security. Be sure to check out the first and the second posts.
SmartLogic's focus is custom software development, and our development process focuses on many things that benefit our clients, including agility, quality, and value. In order to truly deliver on quality, it is crucial that we consider security. Every aspect of our process is built on top of a solid foundation, which can often be traced back to best security practices.
Leverage The Basic
SmartLogic builds on the foundational best practices we've covered in the previous two posts in this series. The NIST 800-63B standards and OAuth 2.0 are the most relevant to our day-to-day, but TOTP and others are great to read and be aware of. These open standards convey best practices and must-haves to securely implement common protocols. Even if you aren't writing the implementation yourself (more on leveraging open source in a minute), it is helpful to understand how it all fits together and works.
Leverage Open Source
By its very nature, open source software is reviewed by many and is always under scrutiny. Because of this, it implements protocols and patterns without smoke and mirrors. Yes, there is still potential for issues, but with open source, there's an entire community of users who are looking out for those issues. Leverage that community and keep your open source packages up-to-date. While it isn't a silver bullet, open source does help build a solid foundation.
We are strong believers in both using open source software and contributing to making open source software better. Strong open source communities provide developers with a solid foundation from to build. This foundation includes an ever-growing landscape of functionality and features.
Plan For Updates
Regardless of whether you use open source or write everything from scratch, you must consider that every line of code needs maintenance. If you use open source software, some of that maintenance will be done from within the community. For the software you write, you will need to maintain it. Whether moving quickly through new feature development or fixing high-priority bugs, code ages, and it must be maintained to keep it functioning well.
At SmartLogic we work with our clients to plan for the regular maintenance of their codebases. It is important to keep open source packages and server dependencies up-to-date. Security mailing list subscriptions for our core dependencies help us become aware of security bulletins. It is crucial to configure servers to update automatically, and we typically plan for larger operating system version upgrades every few years.
Custom software isn't a "write once and forget about it" endeavor. It requires attention, care, and maintenance to perform reliably and securely.
Code Reviews
We believe in pair programming and code review, and every line of code written should go through at least one of these two processes. A second set of eyes on code helps catch mistakes and identify any edge cases that could later lead to an issue. At SmartLogic, the knowledge of the team is of huge benefit to every project, regardless of who is writing the actual code. It is through collaboration, pair programming, and code review that we work to build software of high quality and integrity.
Automated Testing
Here at SmartLogic, we write a lot of tests: behavior tests, integration tests, functional tests, and unit tests. We run them all the time, and we run them in continuous integration. We run the entire test suite on every change before merging it into the main code repository branch. This coverage is a big part of our commitment to quality, and it connects back to our goal of keeping our code up-to-date.
The test suite is crucial to ensuring that the application functionality remains the same when updating dependencies or performing any kind of maintenance. Without it, we wouldn't have confidence that large upgrades of dependencies would function without issue. Automating this testing is crucial to our workflow and helps maintain a security-conscious effort.
Environment Isolation
Beyond automated testing, it is important for us to run an application often to make sure everyone involved has a good feel for what is being built. For the SmartLogic development team, this means running the system locally on our computers in a development mode. The development environment itself should be easy to set up, maintain, and run, and it should be as true to the production environment as possible.
Next, we focus on a staging system. This environment should be very close to the same configuration as production. It should have roughly the same resources and architecture, and ideally, it will also have realistic-looking data. Our goal is to have a solid foundation on which we can test changes before pushing the latest version of the application into production.
Finally, our production environment is the golden goose, where everything truly matters. Because of how we've built our previous environments, we can have confidence that our production environment will work well.
At SmartLogic we always make sure we have these 3 environments, and they are always isolated from each other, with their own unique resources. We document their configuration and automate as much of their setup and maintenance as possible, which is all part of how we build high-quality code that results in reliable products for our clients.
Environment Automation
Security starts on the server long before our application code is installed. We use Chef and Ansible to ensure a consistent, best-practices install and configuration for all our application dependencies. This helps reduce the risk of a configuration mistake causing an issue, and it gives us reliable consistency for the systems we maintain. This is another area where we leverage open source, as Chef and Ansible both have large communities of code contributors that can apply reasonable defaults for a system. Building on top of a strong community really helps, and it provides both opportunities to learn and to contribute back to the community with our own solutions to common problems.
Learning and Professional Development
Technology moves fast, so it is important to us that we stay up-to-date in a variety of ways. Here are a few approaches we take:
- Conference attendance for related technologies
- Sponsoring and attending Meetups
- Giving short presentations amongst ourselves at lunch
- Hosting internal conferences
- Listening to Podcasts
- Buying ebooks for the team to read
- Subscribing to various online courses
- Hosting specialized company-wide training
- Encouraging the team to spend time working on open source projects
Personal growth as a developer is core to our best practices as a company, but that growth is ultimately fueled by our desire to learn and improve our craft.
Keeping Security in Mind
When building applications, it is always crucial to keep security in mind. The SmartLogic process has been fine tuned over the years to provide high-quality custom solutions for our clients, and we do so in an agile and value-driven way. Building on a strong technical foundation contributes to overall success, but that success is meaningless without the fundamentals that our clients expect. Security absolutely must be part of that equation when custom software is being built (or even if you are buying a pre-built solution). From the day it is built and into the future, it is crucial to plan for strong web app security, as it is an integral part to the overall success of any application.