App Development, Blog

We must have all dealt with software development professionals, especially in this era of technology.  Whether it be for creating simple websites, a logo, a complex application or any large scale ERP implementation.  There are many programming standards to follow and best practices, depending on the technology and platform used and the need of the hour, each one has its own benefits and pitfalls, you will need to strike a balance between security and performance.  But there are certain golden rules which should be followed regardless of the platform or technology you would employ, no compromises can be entertained.

We take a look at some of those non-technical and logical, overlooked practices which are not realized soon enough.  Find out whether your software development practice develop application in compliant with the below:

  • Password Policies Does your application employ a powerful password policy to prevent the use of simple passwords like “123” “admin” while creating passwords.  Can you define a password policy on your own ? Can you also prevent the user from using previously used passwords ?
  • Account Lockout Does your application lock you out after 3 or more failed login attempts and requests you to use the “forgot password” to reset passwords or contact the admin.
  • Login History Does your application give the user the last login information, i.e. last successful and unsuccessful login attempts with date time stamp and or IP address, to detect and report unknown malicious activity.
  • Secure Communication If you are hosting a web application or a desktop application, do you ensure the communication between the client and database server is secured ?  The communication between your web browser and the web server ? In a web application it can be as simple as installing an SSL certificate.  In desktop applications, it can done by using encryption keys where necessary to secure communication.
  • Database Credentials Do you know how the database credentials are stored on the user;s pc, if any of them are stored, can you read it from a text file from application install; location, probably most power users would know this already.  Usually the user’s computer will need to connect to a database, so it will need some basic information like database server name, username and password to connect at minimum.  You can ensure, that this is stored in an encrypted format on the user’s computer and or database server in case of web applications, so it cannot be read and cannot be altered in any way by the IT Admin or any user.
  • Error / Exception Handling No application is perfect, you are bound to have bugs and errors.  How you handle the user experience in an application goes a long way in securing it.  Ensure you trap all errors and display a generic error message, not technically exposed messages which show the form names or database table names, simple act of doing this may save the day for you.
  • Audit Trail Always have an audit trail, of specific things, like which user’s machine was used  to login i.e. name of the pc, IP address, date time stamp, whether it was a login or logout or timeout action.  Also always log what records, were changed and have an audit table to identify changes, so you will have historical data, which would also help identify and fix the issue more quickly, in the event of a conflict and or bug and or error.
  • How do you store passwords Majority of applications have their own username and passwords credentials, how you store them could make a difference.  An IT Admin may simply have access to the database server and pull out all user information and use it from one single table, if credentials are stored in plain text.  Always store the passwords in an encrypted format in the database.  This will surely not completely eliminate the risk, but minimize it.  Additionally you can Active Directory or Single Sign-On, so there is no need to store the passwords at all, its authenticated from the server directly.
  • Source Control Do your programmers use proper source control.  You can use any source control which gives you the ability to get previous versions of the source files, it also helps in working on bigger projects where multiple team members are involved
  • Documented Programming Standards Do you have a documented programming standard document, which highlights the practices, like day to day coding which would standardize code across the applications, this makes it easy to maintain, manage and secure source code between team members and if you own the source, having a structured source throughout the application helps understand it faster.

As you may have noticed the above do not take into consideration the technical standards like SQL injection, session handling, etc, we will leave that for another article.

These are logical and not technical considerations.  But they do have an impact on the way the software is developed, maintained and supported.  You can choose the impact to be a positive or a negative one.  Next time you hire a software development company or a software developer, ask them these questions, it would help you understand the maturity they work with.

Comments are closed.

Works with AZEXO page builder