Episode 59 – How software developers can make the Web secure

Special guest, David Gatti has returned to Mentoring Developers. This time, he discusses the importance of internet security and what he has to say may surprise you. Don’t miss episode 59! Arsalan and David talk about usernames, passwords, and the importance of proper authentication.

Say hello to David on Twitter!

David Gatti’s Bio:

David Gatti began his career in IT as a Systems Administrator. He learned how to code in PHP out of boredom, and made some simple internal tools to help him while managing the company network.

He then became a blogger and wrote about mobile technologies before the iPhone came into existence and PDAs had cellular modems. He also wrote the CMS for the website itself when WordPress was first starting. Then he began working as a web developer for a company that did simple Facebook games.

After this initial experience, he imported a Windows Mobile app to Android 2.3. He later became a Brand Manager for a mobile game company and a Marketing Director for another company, and at that company – he transitioned to Developer Relations Manager and worked for two companies with this title. It was a job that he fell in love with.

But, while hunting for his next opportunity, he struggled to find the right company. Out of frustration, he created Simpe.li (simply) so he could keep doing what he does best – Development Relations Management done right.

Episode Highlights and Show Notes:

Arsalan: Hi everyone. This is Arsalan Ahmed with David Gatti. David, how are you?

David: I’m fine. How are you?

Arsalan: I’m great and today we’re going to talk about security in the sense of how to keep our server secure, how to build websites that don’t get hacked. Those are important. We are going to talk about how to keep our users secure, how we can avoid becoming hacked ourselves, and how we can have secure practices as software developers. For someone who is starting out and learning these new programming languages and frameworks to build cool apps, they may not be thinking about security. They should pause and listen to this podcast and really think about what they’re doing to ensure they’re not skipping something that’s important.

Arsalan: You had a personal experience with that. You had a new website and it got into really big trouble. So tell us a little bit about that, David.

David: it was for a website that was built more than 10 years ago. I developed it myself. Back in the day, we used the technology called STP to transfer files to the server. I had this STP client. I decided to make my life easier by saving my password to the server. By doing that, I ran into the situation where I got a virus on my Windows machine which detected that I was using this STP client and it try to access every website that I had in my favorites. It found my website, which was gaining popularity with over 7000 views a day. So a bunch of people was visiting it. This virus then updated my index HTML file with a piece of JavaScript code and started infecting all of my visitors with a virus. I received a bunch of messages letting me know that something was wrong. I fixed it, but it took me a while to understand how someone accesses my server.

David: After a while of googling around, I realized that the STP client that I was using had a common line interface which allowed the virus to easily use this client from the common line. Just by making my life easier and saving the password I had compromised my security pretty badly. After that situation, I started taking security more seriously and I started to make my life a little more annoying by not remembering passwords.

Arsalan: So there are a lot of things that we can do to keep ourselves more secure at different levels. So, one thing is to not get hacked or get a virus and one of the ways to do that is to have long,