Nathaniel Shere

Developers are often at a disadvantage when it comes to defending their applications from attackers. But the reason is simple: their focus is different.

Developers focus on functionality, performance, and ease of use for customers, while hackers focus on vulnerabilities, data exfiltration, and how users can be manipulated. This disconnect in focus can lead, through no direct fault of the developers, to security issues that attackers regularly target and exploit.

The key to giving the advantage back to developers is to think like attackers when designing, implementing, and testing application features. To highlight just a few examples of this type of thinking, let’s look at various features that are common in most applications.

Helpful Response Messages

Because developers attempt to assist users as much as possible, they will often add helpful response messages based on the user’s input. One example of this is when a user forgets their password and the application tells the user whether or not the submitted email address is valid.

Unfortunately, these helpful responses also assist an attacker in identifying valid accounts within the application, a prerequisite to performing password and other authentication attacks. So, in the end, the feature that helps users troubleshoot their own issues also helps ...