The modern programming novice has a lot on their plate. Not only do they have to come to grips with the idiosyncrasies of their chosen language(s), but they have to simultaneously juggle package managers, repositories, APIs, and a slew of other interconnected technologies. It’s easy to brush security concerns aside for later during such a hectic time. However, doing so would be a mistake with potentially far-reaching consequences.
This guide provides an overview of the key digital security habits any new developer should take to heart and start developing early on. Some deal with secure coding practices. Others focus more on operational mistakes and the dangers inherent to a combination of excess trust and a lack of practical experience.
Key Takeaways
- Safe coding practices like securing secrets properly and not mishandling Git environments ensure output is both secure and resilient.
- Linux-based developers can mitigate risks associated with unsafe networks like public Wi-Fi by using VPNs for Linux and remaining aware of network-related threats.
- Programmers have a personal responsibility to protect their tools and online presence. Using password managers, MFA, and being aware of evolving social engineering threats goes a long way.
Proper Password Hygiene
Tying the same or similar password to cloud environments, databases, Git repositories, etc., is a serious but not uncommon cybersecurity flaw programmers aren’t immune to. Once attackers compromise one account and realize it’s related to a programming workflow, they’ll be far more likely to target related accounts. The damage escalates if these are “protected” with the same or similar credentials.
Every password needs to be unique and immune to brute force attacks. Password managers relieve the mental and logistical burdens of generating, maintaining, and safely storing such passwords. All stored credentials are encrypted, and many managers support features like autofill and secure temporary sharing that speed up logins and collaboration.
Multifactor Authentication
Since otherwise strong passwords can be stolen or misplaced, programmers should always assume that a breach will eventually happen. Setting up multi-factor authentication – either through one-time codes, biometrics, or hardware tokens – ensures that exposed credentials don’t necessarily lead to an account takeover.
Adequate Secret Handling
It’s almost become a rite of passage for inexperienced developers to hardcode secrets like passwords or API keys into their source code. They might be testing things out and forget to make changes, or they might believe that no one will bother to scrape their obscure side project. However, secrets persist in Git repositories, and exposing them may result in bots or hackers gaining unauthorized access.
Secrets should always be called on from an external source. An environment variable is already a much safer option for personal projects and staging environments. When it comes to production-grade code, secret management services are the way to go.
Secure Git Practices
Programmers who are just starting out may misinterpret how versioning works in Git. Rather than act as mundane cloud storage, Git services archive a project’s development versions and commits for easier tracking and collaboration. Newbies might make a security blunder and delete it from the latest version, but older versions stored in Git history will still contain it.
Files containing secrets should never be committed – using .gitignore will keep this from happening. It’s also good practice to review differences between existing versions and the ones that are about to be committed. If an exploit is ever discovered, the developer should rewrite and force push the rewritten Git history while also taking care to rotate out and revoke any affected tokens or credentials.
Secure Use of Remote Networks
It’s not uncommon for developers to live a digital nomad lifestyle or work from different places remotely. Even if they run a more secure Linux-based operating system, the public Wi-Fi they connect to in coworking spaces, cafés, etc., lacks the security features necessary to prevent DNS queries, metadata exposure, and packet sniffing.
VPNs act as a security measure that encrypts the connection and prevents eavesdropping. Network traffic is still registered, but its nature and destination remain private. VPN subscriptions aren’t exactly cheap, though — and if you’re a budding developer who just graduated, that’s an expense you might not be ready to take on. Look for promotions from reputable providers, like NordVPN deals, to bring the costs down.
Avoiding Dependency Risks
Modern programming is unimaginable without the convenience and utility that existing packages, frameworks, and libraries bring to every new project. As crucial as they are, these dependencies come with considerable risk. Junior developers might integrate them once and never update them, only to pay the price once an exploit in that old version inevitably gets discovered and abused.
Using only the minimum number of dependencies creates a strong security foundation. Dependencies should be vetted and scanned for vulnerabilities first, or downloaded through private registries. While downloading updates as they appear seems intuitive, it’s a good idea to pin stable dependency versions and audit them as needed.
Securely Installing Packages
Package installation is a crucial step for dependency management and should be treated as a potential high-risk event, whether executed on local machines or live servers. Some package managers might allow for arbitrary code execution, meaning libraries might be permitted to run scripts before or after their installation. Or, an inexperienced dev might mistype the domain they’re getting the package from and install a malicious fake due to typosquatting.
Verifying a package’s identity and reputation should be standard practice:
- Is it recognized by the community?
- Does it have a high download count and an active Git repo?
- Was it published by a known developer or organization?
Even after getting satisfactory answers, it’s advisable to ignore any scripts on the first install and perform regular audits to know which version of a package to update to and when.
Phishing Awareness
The nature of their work means programmers are more tempting and likelier phishing targets than regular users. Active job hunting and participation in open-source projects inevitably come with greater contact information exposure. Plus, it gives phishing and social engineering attacks more credible pretexts. A programmer may dismiss an email from “their bank” outright, yet click on a phishing link that supposedly leads to a promising interview opportunity.
Since AI does much of the composing now, poor grammar is no longer a tell. Instead, recipients need to carefully read the contents and compare both the sender’s address and any embedded links with officially available ones. It’s also far better to seek confirmation through a different means of communication when one isn’t sure.
