5 must-do security tips for developers

So I've been working as a security analyst and auditor for a while and I encountered a lot of stuff I felt frustrated about. Sometimes I used to think "if just the developer took care in time about this security tip in time..." and then, why not discuss some security tips a developer could take? I'm listing five tips but feel free to add your own!

Tip 1: Pay attention to default admin pages

Countless times I've encountered a page with /myadmin.php and similar admin pages with default values. Using frameworks is a wonderful idea but taking care of these details is important. An attacker could use brute force to bypass the login of admin pages and make an ugly mess.

Tip 2: Please, please so much please strong passwords

I mean, I know remembering strong passwords is such a difficult task but ah! we have KeePass for that. Very please, if you still have doubts just check the huge leaks. This seems unimportant but it isn't.

Tip 3: Avoid the Its secure because its in a container

Nope. Security doesnt work like that. For real. For example, if you guys are using old versions of resources (which I encountered a lot of times ) for example ElasticSearch, you can use curl commands for breaking into apps, or other many things. I understand looking for vulnerabilities is not your work (thats why you should hire a specialist for this) but you can handle basic vuln assessment on the meantime using CoreOS with Clair as I described here for example.

Tip 4: Filter all the things

Please pay attention to what the users can input in your app. If you are unaware, theres this attack called Cross Site Scripting (XSS), which could be used as part of many others, and its due to a lack of filtering. Dont let users use script elements, you can save so many problems just like that.

Tip 5: ASK

Okay so I was thinking a lot of tips I had in mind for the last one, such as not letting fashions get over you and use new techs without auditing them propertly just because they sound fancy, or to pay attention in servers hardening. But finally, I thought of the most important and widely forgotten: ASK. Its completely normal not knowing a thing, and more possibilities when its a security doubt, thats NORMAL because as a developer you may not know some details. Thats okay, thats why auditing and security analysis are for, but even though the app is going to pass through a security specialist dont be afraid to ask in the development process, because some details might be structure or concepts security error that could have been easily solved in the early stage proccess and when an analyst take it in the final stage is such a mess. Taking security advice in the early stages is a healthy responsible decision. I sometimes felt like the developers saw me as an enemy to fight against, someone breaking their child but Im just trying to make it work, and its easier to do when you let security staff be part of it since the very start.

I hope you guys liked these tips and feel free to add more. Did you saved the day with a security tip in your job? Id love to hear from you.