Strengthen the guard

Pursuing ideals takes time, not just in systems and design.

When building systems, failing to implement robust security measures can lead to unexpected issues arising from user actions. In projects with tight budgets and schedules, planning and design phases often get rushed, so extra caution is essential.

If I were to list just three points, they would be as follows.

・Minimize input points
・Multi-layered defense per boundary
・Unexpected events trigger immediate errors

Ninety percent of attacks begin with “input.” Conversely, systems that attackers cannot access cannot be breached. The greater the freedom in input, the higher the risk.

Of course, there is no system that is 100% impossible to break.

・Minimize input points (user-interaction areas) to the absolute minimum
・Implement “boundary defense” by blocking data flow at the block level
・Design systems to handle all unexpected behavior as exceptions

The idea is to make it a system that’s difficult to break through within the allotted time.

By the way, “1” refers to measures like string sanitization and prepared statements during database processing. “2” covers escaping during HTML output generation, and so on. Also, “3” is surprisingly important—it involves conditional branching that immediately halts processing when unexpected values are received.

There are other detailed countermeasures, but ultimately it depends on the budget.

Conversely, it’s often the case that we have no choice but to implement only basic security measures, leaving finer details somewhat lax. Even when we aim to refine the handling of specifics, there are limits depending on the case, so realistically, it comes down to implementing what’s feasible within the constraints.

When in doubt, go back to basics

At its core, any system is nothing more than “input and output”.

Input (Store / Ingest)

All things entering from outside = data “ingestion”.

・Form input
・API requests
・File uploads
・Cookies / Sessions
・Database writes
・Log storage
・Configuration changes

The above refers to all input (the act of importing into the system).

Output (Serve / Provide)

Next, what the system returns internally = the data’s “output”.

・HTML display
・JSON response
・API response
・File distribution
・Image provision
・Email sending
・Display database read results

Output is the act of returning data from the system to the outside world.

Breaking down the process into smaller steps reveals a surprisingly simple structure. Writing meticulous, safe logic is essential. Never forget that implementation time directly translates to the quality of the deliverable. Take your time to build it carefully.