Developers love to think ahead, and giving someone all the access they might need is a simple way to plan for the future. If they're just starting on the project, why not give them the ability to read all of the databases and commit code? The same goes for systems. If one of your development projects is going to access a database, why not give the code a login that lets them read, write, and update?
While leaving doors open is a simple way to handle future chores and avoid creating annoying road blocks for users and staff, the open doors, as mentioned in tip No. 1, are often the first pathway that's abused. A good principle is to give code and people the smallest amount of privilege needed to get the job done.
If this turns into a management headache generating too many requests for extra privileges, it may make sense to rethink the overall architecture for the data. Are you keeping too much information? If people need more access than you're comfortable giving, you may be storing too much information. Saving less data (tip No. 2) can make it easier to give everyone a simple amount of access.
Secure programming tip No. 13: Model your threat
Do you hold credit card numbers? Then a common thief may be after your information. Do you track people's location with their cellphones? The dangers grow creepier.
Spending time thinking about who wants your data can be a useful precursor. If you can imagine a threat, you can keep the attacker in mind while you design and implement the system. They present an antiuse case to avoid.
It's important to recognize that no list or model will ever be perfect. Just because the threat isn't imagined doesn't mean you don't have to worry about it. It's just a start.
Secure programming tip No. 14: Trust goes both ways
It's easy to be suspicious of those who log into your website, but remember that they should be suspicious of you, too. Are you really the bank that holds their money, or are you a phishing website trying to steal everything they own?
Some sites are investing in proving themselves to the customers. They ask the customer to upload some photo or set of words that the website can use to prove that they're who they say they are. This can make everyone more secure.
Secure programming tip No. 15: Keep apprised of the latest threats
Following the industry press is absolutely essential, and InfoWorld is just one of the publications that covers tragic mistakes. Good articles can show you what others did wrong and give you a chance to think like an unauthorized prowler.