How to build safe software
07. January 2020
An article by Mobilunity.
Although business owners are usually well-aware of how serious security threats are, it’s only after a data breach occurs that most companies start taking countermeasures and prioritising defence.
Cybersecurity negligence often comes at a huge cost to businesses. Aside from reputational damage the legal and financial implications are steep. The General Data Protection Regulation no longer enables companies to ignore the threat of being hacked or having their user’s data stolen.
How should a software developer or manager approach security? What are the main threats a software engineering team should be prepared for?
The 4 most dangerous security threats
Before taking proactive steps to strengthen a company’s defence, it’s important to make sure you know what security breaches are the most likely to put user data and the integrity of the system in jeopardy.
Here are the most common and hard to foresee security threats:
1. Security misconfigurations
The computer security software infrastructure of an app consists of multiple components - databases, firewalls, operating systems, and others. By reconfiguring these elements, developers ensure that the project is protected from intrusion. Naturally, misconfiguring or forgetting to update a database increases the risk of attacks. To prevent security misconfiguration threats, make it a habit to create and run penetration tests as you are engineering the software.
2. Malware infection
Every year, new types of malware, spyware, and viruses are deployed. To make sure your web application is up to date, update the firewall regularly. Running constant file backups is crucial as well - in case a system is infected, you should be able to delete all files on the filesystem while avoiding extensive downtimes and ensuring the system is up and running as soon as possible.
3. Phishing attacks
These attacks usually happen as a result of poor corporate education and communication. To ensure employees are not scammed or asked to trade-sensitive corporate data, it is worth including cybersecurity software discussions during the onboarding process. You can also set up anti-phishing tools and extensions that will automatically spot suspicious letters and alert you. The most common tools business managers usually use are:
- Google Safe Browsing
- Kaspersky Internet Security suite
- ESET Smart Security
- eBay Toolbar
4. Brute force attacks
A common way for hackers to penetrate the authentication system is by guessing users’ passwords. Although brute force attacks take a while to complete, there’s no way for developers to fully ensure they will not happen. Setting strict authentication limits and educating users to come up with secure passwords is a way to reduce the risk of a third-party intruder getting their claws in and increases the level of security software is capable of providing. You can use protective extensions as well. Here are some worthwhile tools for brute-force attack protection:
- Rainbow Crack
- Cain and Abel
Has my software been hacked?
All software developers want to believe they have the network security of their apps completely under control. But how do you know if an intruder has penetrated your software’s defence? Here are the telling signs:
Sign #1. Unaccounted for log messages
If, after you monitor FTP and HTTP log there has been an elevated number of outbound and inbound connections - you are looking at the first signs of malicious activity. The thing is most connections with your web server should be initiated from internal databases. Any outbound connection is suspicious by nature. To check if there isn’t’ an intruder in the system, make a habit of monitoring admin logs since most hackers will likely leave a footprint there as well.
Sign #2. Changing file names
The change in file names or timestamps are a major red flag that indicated someone has likely accessed the system. Be sure to keep logs of all the files and plugins you add to the software. Tools like WhiteHat Security can come in handy if you want to scan the filesystem of the software.
Sign #3. The software is malfunctioning
If the app does not behave like it is supposed to, functional bugs might not be to blame. If there are 404 Pages or unsolicited redirects, presume a security attack has taken place and apply countermeasures such as protecting sensitive data or deleting all files from the system altogether and running a backup when there are no signs of intruders.
How to protect your software from security attacks
A plethora of security threats and vulnerabilities can often make software developers feel helpless and confused. As long as you follow basic data protection practices and are knowledgeable about security standards you will likely have nothing to worry about. After all, most hackers attack websites that are not well-protected.
Best practice: To help you develop software that’s 100% secure, below are a few things to consider:
- Make sure your database is immune to SQL injections. To do that, a developer has to parametrise SQL statements to ensure random characters inserted by an attacker will not be treated as a command. You can handle parametrisation in Java or another programming language
- Encode data. When protecting the software from XSS attack, you want to ensure the interpreter will not confuse data and executable statements. For that, developers use encoding tools - Java Encoder for Java and Anti-XSS library for .NET-based projects
- Set default access control to ‘Deny’. Restricting data access and not granting users more privileges than they need to use the platform comfortably is one of the basic ways to prevent security attacks. Be sure to locate data access settings in a separate library rather than spreading them all over the business logic. Make sure to set default access settings to ‘Deny’ - that would require a user to log in before getting admin privileges
- Set up advanced intrusion detection mechanisms. In case you failed to protect the software from intrusion, the next best thing is being able to spot the attack quickly and activate a contingency plan. To know about the intruder immediately, use extensible logging frameworks - ApacheLog4j, SLF4J, and others
- Improve error handling. Exception handling might not seem to be closely connected to security - however, it is to blame for multiple exploits and vulnerabilities. To protect the software from attacks, be sure to not disclose too much technical information when sending error messages
- Don’t miss out on security testing. Thorough security code reviews come in handy when preparing the product for release. Make sure your testing team has high code coverage and is capable of security-testing the software’s core features. There are plenty of assistive technologies designed to improve the efficiency of software testing and debugging - development teams can use Gauntlt, Zapper, and other tools
Ensuring the security of your software projects is crucial to avoid maintenance losses and reputational damage. By validating data safety across every step of the development cycle and monitoring the state of the system once the product is out, teams can protect themselves against the most advanced security attacks.
To learn more about Drooms and how we keep data safe read on here.