The one question every developer needs to ask themselves

Cybersecurity tips for developers to make their projects secure

Information overload AFK. Photo by K8 on Unsplash.

I recently completed a project aimed at automating tasks for our security team.

The goal was to streamline their workload and strengthen our threat detection capabilities. This in turn would help us further safeguard our customers.

This project involved creating a slash command in Slack to execute code.

To keep costs down, my initial idea was to create a slash command that could execute code in an AWS Lambda function.

My initial questions revolved around feasibility and existing solutions.

Can this be done? If so, has it been done before?

Most of the time, if it can be done, then it’s been done before. This leads to my next question.

Is there a guide on how it can be done?

If it’s been done before, then someone has probably written up a simple step-by-step guide on how they did it.

---

Initially, I looked up “slack slash command lambda function” on Google.

An abundance of results on Slack slash commands and AWS Lambda functions

There were about 1.37 million results. I thought I could have something up and running in no time.

But then when I started reading a few of the guides there was one question that kept coming up.

One question that every developer needs to ask themselves.

Is this secure?

The implementations in many of these guides are not secure. 

If authentication is set to “NONE” your lambda function can be exposed to the internet.

Someone could run a script like the one below. This could potentially lead to a Denial of Service on your AWS account and/or your bill skyrocketing!

while true; do curl -v 'https://your.lambda-url.us-east-1.on.aws'; done

Now, to be fair, demonstrating the feature is probably the aim for a lot of these guides. That being said, developers should prioritise security when implementing something.

---

Here are some tips for more secure projects

Read official documentation

You’ve probably got a better chance of implementing something that’s more secure by reading the official documentation.

For example, in my case Slack’s documentation discusses Socket Mode — a way to use the Events API … without exposing a public HTTP Request URL.

Reading official documentation isn’t always like the Matrix code

---

Use online guides only as a starting point

If you find jumping straight into official documentation can be confusing, sometimes you can use step-by-step guides as a starting point to help narrow your focus.

For example, let’s assume you see this code (below) in a step-by-step guide.

from someApi import someClass

some_class: someClass = someClass("some_input_arg")

It’s using someClass from someAPI you want to use. 

The guide has shown you a way the API works, something documentation doesn’t always do.

You can now search for these terms in the official documentation to narrow your focus and hopefully help you feel less overwhelmed.

---

Add variations of the word “secure” to your searches

Sometimes refining your searches can make all the difference

If guides don’t mention security, or only briefly touch on it, look for others that do.

For instance, this Slackbot guide talks about security in the first sentence.

Sometimes half the battle is finding the right question(s) to ask!

---

Collaborate with other developers

Ask for feedback from other developers, specifically around how to implement something securely.

This can potentially help with any blind spots you might have, but it can also create a culture where security is priority at your organisation.

Similarly, check other forums and see if you can get a consensus on a feature. For instance, when looking at the security of AWS Lambda function URLs I found this comment on Reddit, which helped me look for other solutions.

---

Sort guides by most recent date

Step-by-step guides can quickly become out-of-date. Something published last year might not be as secure as something published this year.

Guides with a recent publishing date are more likely to be secure than older guides.

---

Think about how someone could misuse what you’ve built

What you’ve built can be used in one way, but can it also be exploited in another way?

For example, this code (below) simply reads files from a directory and returns their contents. Notice though that there’s no input validation on what directory you can and cannot access.

import os

def read_files_from_directory(dir_path):
    """
    Read files from a directory path and return their contents.
    """
    file_contents = []
    for filename in os.listdir(dir_path):
        if os.path.isfile(os.path.join(dir_path, filename)):
            with open(os.path.join(dir_path, filename), 'r') as file:
                file_contents.append((filename, file.read()))
    return file_contents

Suppose someone was able to run this function on your home or system directory. What sensitive information might it return?

---

Online guides and tutorials are abundant and helpful, but developers must prioritise security at every stage of the development lifecycle. By incorporating security into your development process, you can fortify your solutions against threats, enhancing their resilience and reliability.