Secure Features, Not Just Security Features

Just as the IT professionals we talked about at the beginning of the chapter had some misconceptions about network security defenses versus application security defenses, developers also often have some mistaken beliefs concerning security. Next time you pass a developer in the hallway, stop him and ask him what he knows about security. He’ll probably answer with some information about firewalls, antivirus, or SSL. If he’s a Neal Stephenson fan, maybe he’ll corner you and start ranting on the inherent superiority of the Blowfish cryptography algorithm over the Advanced Encryption Standard algorithm. (If this happens to you, we apologize for getting you in this situation.)

And there’s nothing wrong with any of this—firewalls, antivirus, SSL, and cryptography are all important security features. But there’s a lot more to creating secure web applications than just knowing about security features. It’s actually much more important to know how to apply security to the routine development tasks that programmers tackle every day, like parsing strings or querying databases. In short, it’s more important to know how to write secure features than it is to know how to write security features.