14 A final word: Don’t forget about security!

 

This chapter covers

    • Code security reviews
    • Vulnerabilities in a large-scale tech stack
    • Running security penetration tests from time to time
    • Following security breaches and attack vectors
    • Incident handling and the team’s role

    By now, you’ve been with us throughout the course of a pretty long book. We’ve spent much time talking about how to not think about security, but still get security anyway. Surprising as it might seem, we’d like to close this book by talking about how important it is to think about security. We started this book by noting a few things:

    • Developers find it difficult and distracting to explicitly think about security while coding.
    • Developers like and find it natural to think about design while coding.
    • Many security problems arise from bugs, misbehaving code that happens to open up security vulnerabilities.
    • Good design reduces bugs; some designs prevent some kinds of bugs, while other designs prevent other bugs.

    14.1 Conduct code security reviews

    14.1.1 What to include in a code security review

    14.1.2 Whom to include in a code security review

    14.2 Keep track of your stack

    14.2.1 Aggregating information

    14.2.2 Prioritizing work

    14.3 Run security penetration tests

    14.3.1 Challenging your design

    14.3.2 Learning from your mistakes

    14.3.3 How often should you run a pen test?

    14.3.4 Using bug bounty programs as continuous pen testing

    14.4 Study the field of security

    14.4.1 Everyone needs a basic understanding about security

    14.4.2 Making security a source of inspiration

    14.5 Develop a security incident mechanism

    14.5.1 Incident handling

    14.5.2 Problem resolution

    14.5.3 Resilience, Wolff’s law, and antifragility

    Summary