Today, I am sharing some time with Daniel Méndez, our Chief Technology Officer (CTO) in Kriptos. He currently works at Cuenca, an Ecuadorian city where talent is emerging rapidly.
Daniel is 30 years old and has worked in technology for approximately 12 years. He studied Systems Engineering at “Universidad de Cuenca”. His passion is to keep learning. After his Engineering degree, he studied and obtained two Master degrees online: the first one in Mobile Applications and the second one on Facilitating Change Processes. This last degree has nothing to do with the branch of technology; however, it aligns very well with Daniel's main interest, helping others.
Let us start this interview by asking ourselves: what is the safest way to develop software?
Daniel, what should be considered to build a secure code?
Always think about the future. Think about everything that could happen tomorrow. Think of the possibilities and the difficulties and act accordingly.
Be cautious, the code must always be prepared thinking that problems will appear. The code must be very simple to maintain and it must include good documentation to support it. Programmer should always follow best practices when building code in order to avoid problems.
What tools or methodologies do you suggest programmers should use?
In the case of tools, I recommend using stable versions always. Sometimes, people prefer to use Alpha or Beta versions because of their apparent ease of use but they then encounter serious problems because they are not stable.
It is advisable to implement the following rules in our computer systems to protect the source code against hacker attacks:
-OWASP: at least follow the top 10 basic rules for building web systems and mobile applications. https://www.owasp.org/index.php/Top_10-2017_Top_10
-Secure cookies: if the user's data is going to be stored in the web system, GDPR regulations must be implemented and cookies must be programmed in a secure way, as indicated by OWASP. https://eugdpr.org/
-Secure sessions: do not expose sensitive data (unless it is very necessary) neither in cache nor in sessions. This type of data must be protected as a hash and eliminated in the shortest time possible. Recommendation: if users do not use the system for more than 5 minutes, banking systems should delete all user data from such session immediately.
A double authentication factor must be implemented in systems that handle a lot of sensitive data such as banking systems. At least after making a Login, ask the user to enter an OTP (One Time Password). Typically these passwords are sent to the email or telephone by SMS.
-Verify your software: it is necessary to verify our code using free OWASP tools to detect vulnerabilities in the source code.
If you use a transactional system, it is important to perform stress tests to detect how much load the software is willing to support.
There are more secure IDEs for software development. Generally, the safest are private IDEs in contrast to free software. Free software is amazing; however, it has several security gaps because it’s open. Programmers and hackers already know, so to speak, what these gaps are and could take advantage. That is the weakness of free tools. I recommend the following private IDEs:
-Visual Studio of Microsoft. This is the best IDE with which I have been able to work in all my professional life.
-JetBrains, like PyCharm and PhpStorm. They are very safe and economic IDEs.
When it comes to programming, it is essential to choose the best operating system to work on. This depends on the needs of the product, for example, Kriptos, the software I am currently building, is a 100% Windows application. This is why we are required to use Windows to develop it. In our operating systems we consider general rules to protect ourselves:
-Windows with original license: this allows us to update the software with the latest releases of Microsoft and protect it against vulnerabilities.
-Antivirus with original license: this allows us to protect ourselves against new virus threats that appear in a very frequent basis.
-In browsers we use extensions like AdBlock to protect the software from ads with potentially dangerous content.
-If we need to develop in Linux, the best and safest operating system you can use is CentOS. It is not very user friendly, but it is very safe and you could even use it as a Server.
Finally, it is very important to store our source code in a reliable repository in the cloud. Programmers often follow bad practices and store their own version of the source code. This can cause serious problems in the end. I recommend two very reliable repositories:
-Team Foundation Server from Microsoft: they provide services in the cloud and they are excellent.
-Bitbucket from Atlasian: in Kriptos we use this repository and is highly recommended because of its simplicity.
How can you balance the time and effort that a programmer must dedicate on safety vs. speed?
I consider it important to take into account the following recommendations:
-If you are developing new features or attributes, take 1 or 2 hours a day to review the code. Try to detect vulnerabilities.
-Integrate at least a system of unit tests; this will help you to perform your own tests more efficiently. You can learn some TDD for it.
-Integrate the recommendations of OWASP as you program. It is a bad practice to incorporate these recommendations once the development is finished.
-In case of urgent bugs, stop the current tasks and concentrate on fixing them.
-In the case of non-urgent bugs, take 1 hour a day to go over them and fix them.
Finally, in order to deploy source code faster into the different test or production environments, it is very important to implement Continuous Integration in the repositories of the cloud where the source code is updated.
How can a programmer update his/her knowledge base?
I recommend the Pluralsight platform, their courses teach important and relevant content. It is just what you need to be updated in technology. In addition, I recommend doing master degrees abroad. The technological culture in Europe and the United States is more advanced, and the experience you can gain is much greater.
Let me end by saying that it is essential for every leader or programmer to know the current security regulations and their applications in the type of product they are developing.