HackMDTopic 43 - 44
tags: The Pragmatic Programmer
Topic 43. Stay Safe Out There (security)
Good fences make good neighbors.
The other 90%
When your code works, analyze and test the code further for ways it can go wrong, for example, passing in bad parameters.
Security basic principles
keep it simple and minimize attack surfaces
1. Minimize attack surface area
What listed below are attack vectors
1. Code complexity
2. Input data
3. Unauthenticated services: data which could be accessed by everyone are insecure.
4. Authenticated services: keep the number of authorized users at an absolute minimum.
5. Output data/debugging info: error message could include secure information like user id. Make sure those are safe.
2. Principle of least privilege: design with less privilege if there is no need.
3. Secure defaults
Let each individual decide for themselves the trade-offs between security and convenience (hide the password input or not).
4. Encrupt sensitive data
Keys and secrets should not be version-controlled.
Password antipatterns
5. Maintain security updates
-
Ask yourself if security patches still work when systems are upgrading.
-
Apply security patches quickly: most critical breachs in history happened because of security updates.
common sense vs. crypto
Never do it youself: sophisticated algorithms work better.
Topic 44. Naming things
The beginning of wisdom is to call things by their proper name
Example: deductPercent() vs applyDiscount()
-
Why it does?vsWhat it does?
-
- The parameter name
amountis ambigious and misleading.
- The parameter name
1. Honor the culture
It would be better to employ common used convention, for example, single letter variable like i, j…, and programming case types, etc.
2. Consistency
Sometimes record glossaries on Wiki might help.
3. Renaming is even harder
- It is encouraged to rename what has losen its intention.
- Spot overly generic name.
