Security Pitfalls for Software Engineers

Thinking about security at the end of your development cycle is already too late. Here’s how to fix it.

#1about 4 minutes

The high cost and consequences of security breaches

Major companies like Uber and Microsoft have suffered massive data breaches, costing millions and highlighting the severe financial and reputational risks of poor security.

#2about 6 minutes

Foundational practices for writing secure software code

Writing secure code starts with fundamental practices like proper input validation, applying threat modeling methodologies like STRIDE, and adhering to the principle of least privilege.

#3about 5 minutes

Mitigating supply chain attacks with DevSecOps practices

Vulnerabilities in third-party libraries, like the SolarWinds and Log4j incidents, necessitate a DevSecOps approach to integrate security checks throughout the software development lifecycle.

#4about 2 minutes

Essential security measures for protecting public APIs

Publicly exposed APIs must be protected using strong authentication, TLS/SSL encryption for data in transit, and defenses against common attack vectors.

#5about 5 minutes

Protecting data with database encryption and temporal tables

Encrypting sensitive data at the database level protects it even if breached, while temporal tables provide a complete audit trail for forensic analysis.

#6about 2 minutes

Implementing a robust penetration testing strategy

Regular penetration testing, distinct from QA, should be a standard practice using methodologies like black-box or white-box testing and frameworks like the OWASP Top 10.

#7about 1 minute

Maintaining security by separating work and personal devices

Avoid using company-issued laptops for personal or freelance projects to prevent legal liabilities and security compromises between environments.

#8about 3 minutes

Q&A on vulnerable libraries and team security responsibility

The session concludes with answers to audience questions about tracking open-source vulnerabilities, choosing a pen test environment, and clarifying security roles within an agile team.