Privacy and Security Misconceptions Every Developer Should Know
As software developers, we pride ourselves on our knowledge of privacy and security. We create the encryption algorithms, plug the vulnerabilities and implement best practices to keep users safe.
Yet when we are bashing those bugs, we are users of our corporate networks. Oftentimes our IT support staff hate us and our privileged access, meaning they often want to remove sudo access and effectively prevent coding work from taking place.
Consumer Misconceptions
Users’ privacy and security myths have been identified in a survey by anti-virus peddlers Kaspersky.
Would you believe that:
40% of users think that incognito mode makes web activity invisible
22% believe iOS is immune to hacking
20% believe blockchain is “safe”
Now, before you laugh at their idiocy, let me come at you with the programmer misconceptions I’ve seen.
Programmer Misconceptions
I’m Too Busy to Worry About Security
The basics are seldom done in software development.
Programmers leave their machines logged into sensitive data in the office and go off to the bathroom. How about locking the machine, Darren?
Sloppy coding is another cause of issues. Colleagues who are so focused on hitting deadlines that they leave the door open to attacks. I wish we spent more time validating user input at work, as this leaves us open to injection attacks.
There should always be time for security, as it takes more time to fix issues retrospectively than before they happen.
Code Reviews Catch Everything
Code review is in my experience far from infallible. Yet many developers think that security issues and bugs will be caught by their big-hearted colleagues.
The problem is that the blind spots of a developer are likely to be replicated by those of their reviewer, meaning that issues slide right into production.
We tend to need to wait for a day or two for a code review, and these reviews are invariably surface reviews that start a debate about the naming of variables. Major bugs get missed right up to (and including) crashes and broken functionality. Yet simultaneously developers seem to believe that code review will catch all problems, so they don’t need to worry unduly about checking their own work. Go figure.
My Work is Bulletproof
Confidence is a great thing. Overconfidence is frequently an issue for software developers, and something teams battle with each and every day.
When coders skip testing or dismiss feedback from colleagues because they believe that they are too good to make mistakes are a potential problem.
One of my previous bosses insisted on implementing a particular architecture because he’d seen it work well in a different company, without considering whether it was suitable for our project. Spoiler alert: It wasn’t.
Conclusion
Did you know that security considerations are important in software development? Of course, you did.
Are you quick to laugh at the misconceptions of users? You’re a developer, so of course you are.
So, you might be shocked that so many software developers have misconceptions about security in the software they are working on, and there can be a lack of challenge regarding these misconceptions.
Security and privacy are not just checkboxes — they’re disciplines that require constant vigilance, education, and humility. The next time you sit down to code, remember that the real enemy might just be your own assumptions.