When building a new application, be it Windows Form or ASP.NET, security is an important factor to consider from the very beginning. There are hundreds of books and thousands of websites helping you to secure your application, but they all seem to share one annoying thing; they make security solutions too complex. Security is a complex issue to address and that usually requires complex solutions so what is the problem?
In the myriads of applications out there, only a very small percentage of those are built with security in mind. The rest of them are pretty much open for any hacker to break. That’s an overstatement, but it illustrates the point. Because we have learned through books and articles that security is complex and difficult, we rarely give it the time it deserves.
Another big problem is that security is one of the most boring things to do as a developer, because it does not add any features or functionality to the system and it is very hard to measure the value of. Both in terms of money spend on the effort and on the likelihood of ever being attacked.
Right, that narrows the problem down into two things. It is complex and boring. Not a developer’s favorite cocktail. Of course, we cannot just leave it at that without doing some level of security even though we basically, as developers, don’t really want to.
Let’s break the problem down into the two main issues starting with the complexity.
The obvious solution to complex problems is to simplify it. It is rarely as simple as it sounds but it is absolutely possible. What I mean is, that complexity is typically found in the last 20% of the problem, but that should not stop us from doing the first 80%. More on that later.
Security is boring so we have to find a way to make it more interesting. Again, let’s see how much of the boring parts of security implementation can be eliminated. Don’t cut back on social security number encryption or something like that.
Alright, now security is simple and interesting, but at what cost? That depends on two things – the type of project and the level of security you are planning on implementing. If you’re building an e-commerce site or banking software, you don’t want to cut back on security at any cost, but for the simple standard website the cost is free because you probably haven’t done much security planning and therefore doesn’t need to make cuts in the first place.
Something is more
The saying “less is more” doesn’t really apply for security, but neither does “more is more”. You usually want the right level of security at the right price – no more and no less. We can come much closer to that now after we’ve made security simple and interesting. If you haven’t thought about implementing any level of security, you should at least do something. Not the whole nine yards, not the first 80%, just do something. Something is more than nothing and nothing can become a dangerous affair. Keep it simple and keep it interesting, otherwise you won’t get anything done at all. Even the smallest things count and they are free to do because they hardly take any time to implement.
The bottom line is that security is a very important thing and we cannot afford to ignore it. If you find it boring and complex then just do something that can be of interest to you and keep it simple to begin with. Its probably all you need for your application anyway.
Simple .NET security tricks
If you have written or know about a good article on simple security implementation, let me know and I'll add it to the list.