The Art of Security
Hello again! So today I want to impart some ancient advice. Sun-Tzu once said, "Know your enemy and know yourself, and in 1,000 battles you will never lose." This is timeless advice! From a security perspective, we can approach know your enemy as make no assumptions about your user (or from a threat intel perspective this can mean a lot more). This means don't assume the user will use the application as intended, expect the unexpected. White list everything, every choice your user has. If they can only make choices you give them, then they can not perform the unexpected, and you know their actions. Alas this is ultimately a security catch22, you have to assume you will over look something. And there is always someone out there who will study tirelessly to find that flaw. So you must know yourself 100 times better. In house development often gives you far more control here. If you know exactly how your code executes, rather than black box solutions, outsourcing projects, or piecing together bits you find online, you will be in a much better state to debug and defend against attacks. If you know the site you have designed inside and out, this eliminates many security flaws in and of itself. You have to know exactly how your pages can be accessed, then think like your enemy and try to break those access controls. If you know the design of your site, and exactly how users can interact with it, than in 1,000 views your site will never break.