Security is crucial for any project, whether you’re building a hobby application on the terrestrial internet or a fully operational battlestation in a galaxy far, far away. That said, security isn’t easy. Every few years, the OWASP group publishes the Top Ten list, which reviews the most common security mistakes in applications across the internet. The same few vulnerabilities have been at the top of the list for years: SQL injection, broken session management, cross-site scripting (XSS) vulnerabilities.

The details of these attacks have been well-known for over a decade, but they still top the list. Even when we know better, it’s easy to keep making the same mistakes over and over again.

These mistakes can have profound implications. Verizon’s multi-billion dollar purchase might fall apart because of Yahoo’s knack for setting records with really big data breaches. A Russian hacker claims to have breached the U.S. Election Assistance Commission because of an unpatched SQL injection flaw.

I find your security vague and unconvincing

In the Galaxy Far Far Away, these same types of security mistakes led directly to the data leak that doomed the Death Star. (Be warned: spoilers for Rogue One ahead.)

Strong authentication and session management

In a recommendation straight from OWASP, the stolen freighter should have never been allowed through the shield gate on Scarif with expired credentials. Whether it’s access tokens or callsigns, the ability to enter a highly secure system should be properly expired. And, when the client (or ship) presents authentication tokens through an untrusted connection, the tokens should be validated to make sure they haven’t been forged or tampered with.

In a recommendation straight from OWASP, the stolen freighter should have never been allowed through the shield gate on Scarif with expired credentials. Whether it’s access tokens or callsigns, the ability to enter a highly secure system should be properly expired. And, when the client (or ship) presents authentication tokens through an untrusted connection, the tokens should be validated to make sure they haven’t been forged or tampered with. Multifactor authentication

At any point during or after the initial intrusion, requiring multiple types of authentication would have prevented the data breach. This is multifactor authentication in a nutshell: sometimes it’s possible to steal a password (or a freighter), but stealing a password and a second factor is much more difficult.

If these basic security principles had been followed, it would have been impossible for the rebel scum crew of Rogue One to leak the critical information that led to the outcome of the Battle of Yavin. (Whether that’s good or bad depends entirely on your point of view, of course.)

How to do security right

If you’re building a battlestation, make sure you hire competent security professionals, and don’t make same mistake three times in a row.

If you’re building something a little closer to home, you’ll need to securely handle authentication and identity management. If you don’t want the risk of building it yourself, we can be a useful ally.

Stormpath provides best-in-class security for concerns like authentication, authorization, single sign-on, and social login for web and mobile apps. Check out one of our quickstarts for your favorite web framework!

And don’t forget to review the OWASP Top Ten list, no matter how you’re building your application. Nothing less than the future of the galaxy could be at stake.