Basic Web Application Security
As a developer for some years, I have seen and written quite a number of applications – web, mobile, cloud and AI apps. I can tell you I have written some cool ones and some really bad ones. I have also had the opportunity to review lots of code while helping organizations solve problems in getting their solutions up in the cloud.
In this article, I will try to share a few Insights and thoughts into my experience and some pretty easy ways to ensure security at the minimum level for your code.
I write .NET (C#) for programming so most if not all of my examples will be based on that, but you can be sure the underlying principles can apply in any language or framework you use. Another thing you will hear me talk a lot about is Azure (though I presume the same principles applies in other hosting/cloud providers). Let’ get started, shall we?
Store all your settings, keys and secrets in a configuration file
In an ASP.NET Core Application, there’s a file a called appsettings.json. Mostly, this is where all the configurations, keys and secrets go by default.
And do not commit try this file into your source control. When in your cloud-hosted environment, there should be a provision for using these keys. They are secured by your cloud provider’s security system. So your mind is at rest.
Better Way, Use Azure Key Vault
There’s a service you can use to store secret keys and you can access via APIs, one of such is the Azure Key Vault – of course you can use some other sort of key vault service, but I’ll recommend Azure key vault.
Some of these links would be helpful to you.
Have separate settings, keys and secrets for dev, staging and prod
There should be at least these stages of in your application deployment line.
Let me explain
- Dev: this is where developer write and verify their code for requirement validation. Code quality Is the developer’s responsibility. This is where your devs dogfood their apps.
- Staging: The staging environment is where your QA happens. This is most times a replica of the load and specs of the production environment.
Production: this is where your customers/end users use your application/services
- Note, you can have multiple dev and staging environments depending on your project and user scale
- For each of these environments, it’s advisable to use separate keys and secrets to avoid having junk data in your connected services.