In creating software, be it a startup or a client project, key decisions need to be made and implemented based on security.

In building secure applications that let me sleep at night, I have learnt a few things:

1. Security is relative. You must keep up, and ahead of the curve.  Your thinking and design must be steps ahead of what’s happening and what may be possible in the near future.  In the end, if someone wants to, given enough of their time, resources and money (more than what you have spent) it, still, conceivably, is possible that security may be compromised.
2. Security vs. Convenience. Unless you are a expert of making complex security disappear “under the covers”, there is still a fundamental  acknowledgment that has to be made.  The more security you implement in an application, the performance, and usability of that application becomes less than simple.
3. The path of least resistance. Instead of building a big, thick wall of security, consider building many, thinner walls. Just like someone who asks you a question instead of googling it, someone wanting access to a system will want to do so the quickest way possible.  If they are out to find the next outpost, they will move on if there is layer after layer of security, like an onion skin.

   Why?  Most unscrupulous attempts to access a system aren’t really about you.  Most valuable is the most generic.  Your server resources to be illegitimately used to send out spam, etc, and not necessarily for what your application itself does.  The reality is most attempts to break into your site will be automated scripts/botnets that sweep the entire internet.  While you can build mega security features, a lot can be said by good design and putting up multiple “walls” instead of one big “wall”.  Design your application to inherently check and enforce security as much as it can internally.  Package it with smart public facing interfaces, properly hardened and tested with client and server side scrubbing and validation, and we have a start.

4. Passwords be safe. Do your best, reasonably to secure the single, most vulnerable part of your system.  Relative to the sensitivity of what is behind the password, implement password security measures.  Logarithmic delays between failed attempts.  Log and report invalid attempts. Encrypt your passwords.

   One of the biggest things you can do if/where necessary is to store your passwords securely.  This is a great article on How to safely store a password.

If you have any ideas to add to this list, please leave them in the comments.. I’ll update the list!