Today, I’m joined by Daniel Méndez, Chief Technology Officer (CTO) at Kriptos. Daniel currently works from Cuenca, an Ecuadorian city known for its rapidly growing tech talent.
At 30 years old, Daniel has over 12 years of experience in technology. He studied Systems Engineering at the Universidad de Cuenca and is passionate about continuous learning. After earning his degree, he completed two online master’s degrees—one in Mobile Applications and the other in Facilitating Change Processes. Although the latter isn’t directly related to technology, it aligns with Daniel’s core interest: helping others.
Let’s Begin with a Key Question: What’s the Safest Way to Develop Software?
Daniel, what should be considered when writing secure code?
Always think ahead. Anticipate future problems and act accordingly.
Be cautious—assume issues will arise. Code should be simple to maintain, well-documented, and developed using best practices to avoid potential vulnerabilities.
What Tools or Methodologies Do You Recommend?
When it comes to tools, always use stable versions. Many developers are tempted by Alpha or Beta versions due to their new features, but these are not production-ready and often introduce major issues.
Here are a few key rules I recommend for securing source code and software systems:
Follow the OWASP Top 10
At a minimum, follow the Top 10 recommendations for web and mobile security:
🔗 OWASP Top 10
Implement Secure Cookies
If your system stores user data, follow GDPR regulations and ensure cookies are securely implemented.
🔗 Learn more about GDPR
Use Secure Sessions
Never expose sensitive data in cache or sessions—unless absolutely necessary. Data should be hashed and destroyed as quickly as possible. For example, banking systems should terminate sessions after 5 minutes of inactivity.
Use Two-Factor Authentication
Systems handling sensitive data (like financial apps) should use 2FA. After login, users should verify their identity with a One-Time Password (OTP) sent via email or SMS.
Verify Your Software
Use free OWASP tools to scan for vulnerabilities and weak points in your code.
Conduct Stress Testing
If you’re building transactional systems, run stress tests to identify the system's limits and performance under heavy load.
Which IDEs and Operating Systems Are the Safest?
Generally, private IDEs are more secure than open-source ones. While open-source tools are powerful, they often expose vulnerabilities known to both developers and hackers.
I recommend:
- Visual Studio (Microsoft) – The best IDE I’ve used throughout my career.
- JetBrains IDEs – Such as PyCharm and PhpStorm. They’re secure and cost-effective.
Your operating system also matters. Choose based on product needs. For instance, at Kriptos, we build a 100% Windows-based solution, so our development runs on Windows.
Key security recommendations:
- Use Windows with a genuine license to get critical updates.
- Use a licensed antivirus to protect against emerging threats.
- Install browser extensions like AdBlock to reduce risk from malicious ads.
If you need to develop on Linux, I recommend CentOS. It’s not the most user-friendly, but it's highly secure and can also function as a server.
How Should Source Code Be Stored?
It’s essential to store your code in a reliable cloud-based repository. Avoid poor practices like keeping personal versions of the source code—this can lead to major issues down the line.
Two highly reliable options:
- Team Foundation Server (Microsoft) – Excellent cloud-based services.
- Bitbucket (Atlassian) – We use this at Kriptos. It’s simple and very reliable.
How Do You Balance Security and Development Speed?
A few key strategies help maintain both:
- When adding new features, spend 1–2 hours daily reviewing code for vulnerabilities.
- Integrate unit tests to validate code automatically—learn basic TDD (Test-Driven Development).
- Apply OWASP recommendations during development, not afterward.
- For urgent bugs, pause other tasks and fix them immediately.
- For non-urgent bugs, dedicate an hour a day to resolving them.
- Use Continuous Integration (CI) to quickly deploy code into testing and production environments.
How Can Programmers Stay Updated?
I recommend the platform Pluralsight—their courses are highly relevant and well-structured.
Additionally, consider pursuing master’s degrees abroad. The technological culture in Europe and the U.S. is more advanced in many respects, and the learning experience is incredibly valuable.
Final Thoughts
Every leader and developer should understand current security regulations and how they apply to the specific products they’re building. Knowing the legal and technical requirements isn’t just good practice—it’s essential for building secure, reliable, and scalable software.
