The Gift of Security: Why I Audit My Own Code
The Gift of Security: Why I Audit My Own Code
It is Christmas Eve. While most people are wrapping physical gifts, I am wrapping up a different kind of package: a security audit.
It might sound strange to spend the holidays looking at security rules, but in the world of software—and especially FinTech—security isn't a feature you add later. It is a promise you make to your users.
Historically, major data breaches happen during holidays. Attackers know that IT teams are running on skeleton crews. They know that alerts might go unnoticed for hours instead of minutes.
My Holiday Ritual: Penetration Testing
Before I sign off for the family dinner, I spend two hours trying to hack my own platform. This is often called "Pen Testing."
I put on my "Black Hat" (the persona of a malicious hacker). I assume the role of a bad actor.
- The Injection Test: I try to paste malicious scripts (like Javascript code) into the comment forms to see if the site executes them.
- The ID Swap: I log in as User A, catch the network request, change the ID to User B, and see if I can read their private notifications. This tests for "Insecure Direct Object References" (IDOR).
- The Rate Limit: I try to spam the login button 50 times in a second to see if the firewall blocks me or if the server crashes.
Zero Trust Architecture
This platform runs on a Zero Trust architecture. I don't trust the client-side code (the code running on your browser). I assume that a hacker can bypass the Javascript UI.
That is why every single read and write operation is guarded by server-side rules that verify the user's identity and permissions before the database even acknowledges the request. Even if you trick the website button, you can't trick the database rules.
The audit passed. The rules held.
Now, I can close the laptop with true peace of mind. The best gift I can give my users is the safety of their data.
Merry Christmas.
Best,
Gerasimos Makris Founder of g-makris.com AI Web Developer | Double Master's in MBA & FinTech and Blockchain
Tech Glossary & Concepts
- Penetration Testing (Pen Test): A simulated cyberattack against your computer system to check for exploitable vulnerabilities.
- Zero Trust: A security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything trying to connect to its systems.
- Firewall: A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
- Injection Attack: A cyber attack in which untrusted data is sent to an interpreter as part of a command or query, often used to steal data.
Gerasimos Makris is an AI Web Developer with a background in FinTech operations. He specializes in building secure, scalable web applications that solve real-world financial problems. When he's not coding, he enjoys exploring the intersection of technology, finance, and business strategy.
