Many developers expect their main software security problem to be attackers from North Korea using technical software weaknesses to gain access to files in the system such as lists of passwords. But Facebook's biggest security problem ever was a decision to quietly give innocent looking semi-public data to an academic researcher at a firm of analysts. Many other companies have equally found that their security problems are far from what they might have expected.
Typically as much as half of your security issues will be related to what your software does, not how it does it. And even mechanical attacks are mostly started by some kind of 'phishing', where a person within the company is tricked into clicking on a malicious link in an email and opens a way in to an attacker; they're not just an attacker outside breaking in by simple technical cleverness.
Every project is different. And so you need to think through the security problems in your own project, and make your own assessments how to deal with them.
The means to do that is called Threat Assessment, or Threat Modelling. I’ve carried out sessions with a variety of development teams; every time I find that there are threats that are very different from what the team had been expecting. And often that the biggest threats are easy to address, but not using the techniques they’d been using for security before.
So please do a Threat Assessment. We’ve written up instructions here.
Some day you’ll be very glad you did!
- Charles