Three Questions Developers Need To Ask

Developers who adopt a "what if" mindset rather than dismissing vulnerabilities as unlikely write far more secure code. Asking "what would happen," "what should happen," and "what could happen" if outer defenses are breached turns defensive coding from an afterthought into a habit.

Coveros Staff

November 12, 2009

While performing software security assessments I have all too often run into developers that are constantly trying to explain away vulnerability findings. They spend way too much time trying to justify the code they have written and explain why it doesn’t need to be changed. All kinds of reasons are given. For example, the access is guarded by a network security device. If an intruder gains access to this we have bigger problems to deal with. While this could be true it is a mode of thinking that can lead to disaster when code is not written to be defensive.

I’d like to challenge developers to lay aside the “it can’t happen” attitude and instead have a “what if it does happen” mindset. Use the energy that it takes to explain away a risk to come up with a solution that will avoid the problem should it arise.

Three questions that a developer can ask themselves and address the answers head on will result in more secure software. They are:

  1. What would happen?
  2. What should happen?
  3. What could happen?

Let’s take a closer look at each of these.

What Would Happen?

As a developer ask yourself “what would happen if the levels of defense outside my code are breached and an intruder gets to this point?” Taking a close look at the answer to this question can reveal some sobering things about the code you are analyzing. Take simple steps to validate input and avoid revealing information that is not required or that the intruder should not be allowed to see.

What Should Happen?

Ask yourself, “what should happen if the levels of defense outside my code are breached and an intruder gets to this point?” Think not about how it is not possible for an intruder to get to this point but rather, on what would happen if they did. Spend the time to correct the issue and rest assured in the fact that your code is covered should it ever happen.

What Could Happen?

Ask yourself “what could happen if I take the steps to prevent such vulnerabilities in the code that I am writing?”. What could happen is that an intruder that gets through outer layers of protection is then blocked by secure code that you’ve written thus preventing a security breach.

These questions can lead you to thinking more about how to secure your code and less about what is protecting your application outside your code.

Related Blogs

Navigating the Technical Debt Crisis in Financial Services

Leveraging AI-Augmented Development to Mitigate Systemic Risk and Reclaim Operational Alpha

Building Scalable Resilient and Efficient Systems with the GitHub Well Architected Framework

Breaks down the Architecture pillar of the GitHub Well-Architected Framework, covering scalability, resiliency, efficiency, modularity,...

Bolstering Your Defenses with the GitHub Well-Architected Framework

Breaks down the Application Security pillar of the GitHub Well-Architected Framework, linking principles, checklists, and implementation...

Accelerating GitHub-powered Compliance, Security, and Productivity

Case study of a large retailer's migration from mixed toolchains to GitHub's platform, focused on minimizing disruption while improving...
Coveros Staff

Coveros Staff

This post represents the collective insights of the Coveros team. Our staff consists of software experts who bring deep experience in secure agile development, DevOps, testing, and software quality. Over the past 20 years, Coveros has trained more than 30,000 professionals and worked with half of the Fortune 100 companies on mission-critical software development challenges. We draw on this extensive experience to share practical insights, proven strategies, and real-world solutions that help organizations build better software faster and more securely.