Ok guys and girls. We are all adults here. Let’s face the facts: if something is uploaded to the internet it may as well be considered hacked by default.
Yep, things are really THAT bad. You don’t even have to take my word for it – check out the facts.
Do you remember what kicked off 2018? A series of hacks and the disclosure of the Specter and Meltdown vulnerabilities. Yes, they were patched soon enough but there was a short moment of time when every internet-connected device on our planet was at risk.
2017 wasn’t any better with successful tracks on Equifax and the devastating WannaCry. Bad news don’t end there:
- 54% of companies had to deal with one or more successful attacks that has compromised either vulnerable data or the functionality of the IT infrastructure.
- 69% of companies have no faith in antivirus software of any kind
- Only one out of three organizations believes that their in-house or other resources are enough to handle cybersecurity threats.
A futile battle?
Does this mean that all of your attempts to remain integrity of your solution online are futile? Like hell it does. You can still put up a great fight that will scare of 99% of hackers and the remaining 1% will never have an interest in you unless you are a governmental authority with secrets or a massive international Evil Co.
How does this work?
There are hackers who call themselves hacktivists and they only target digital resources that are doing something wrong (at least by their opinion). These hacktivists are skilled but they are too few in between. They are not a threat for business.
Then there are the hackers who are in for the money. Decent security mechanisms will prevent them from easily accessing your systems and the guys won’t go the hard way. Why? Because there is simply more fish in the sea for them to catch. Thy don’t have the time to break their teeth on you over and over again.
So, basically, your security is in place to serve as a “beware of dog” sign that should scare off the 99% of attackers.
Our teams at TrendLine had the pleasure of working with penetration testers and white hat hackers on a plethora of projects from the banking, finance and medicine industries.
We have used the time spent together to master the art of secure development that can guarantee protection against 99% of threats on any given project.
Is there still that 1% chance that your security will be breached? Yes, but would you rather take it or the 100% possibility of being hacked?
So, how do you ensure the security of your project?
- Encryption is not panacea. It’s not a one size fits all deal. Why? Because something that is encrypted can also be decrypted. Take passwords and user names for example. If they are encrypted than that encryption would be seen as a separate file that provokes interest. Hashed passwords, on the other hand, do not have the same issue.
- Secrets never stay hidden. Haven’t you seen any action movies where a world-ending threat is prevented buy the good guy that uses a back door into the system? If a project as big as the Death Star could be blown up by one precise laser shot, what makes you think that having a back door into your software is a good idea?
- Don’t think that people won’t do random, obscure or even stupid things to get into your system, because they will. A hacker knows how a developer thinks. A hacker knows that if certain behavior is ridiculous or inefficient, the developer won’t think of it as a threat… or even a possibility for that matter. It’s just not how their brains work.
- Don’t store any data in your system just because you can. Do you actually need the email of the person that is using your product or do you have that field because everyone else does? Because storing personal data for the sake of it can result in a devastating lawsuit or an overwhelming blow to the brand if you do get hacked. Not having any of that data could save you from many headaches.
- Passwords are weak. They simply can’t handle the pressure everyone bestows on them. A verification through several hurdles tossed at the user does a much better job at keeping profiles safe. It’s easy to learn one’s password. It is harder to steal one’s phone to get the text message with the verification digits you’ve sent.
- What about legacy code? Do you have any? And is it updated in a safe, secure way like the rest of the system? If you haven’t thought about that one – you should. Fast.
- There will always be a battle between functional requirements and security requirements. People have to do stuff like logging in from various devices, locations and profiles. People demand great UX today and you are obligated to deliver it if you wish to stay ahead of the curve. The thing is – if the app is easy for the user, it is also easy for the hacker and there is no way around it. Consider segregating the most sensitive operations into a separate, more protected system. Take a look at the banks for an example. Anyone can send money to your account, No one can withdraw them without your permission, password or another form of verification. Do the same in your app.
Do you still have any questions regarding software security and cybercrime-proof development? Feel free to ask us and we’ll get back to you with an answer soon.
As for now – keep calm and stay safe!