Security in software systems
Security needs to be a priority when developing any software system. At Wirebox, security is a core consideration when we develop and support our client’s applications. Today, we’ll go through the best practices, partner systems and services we use to implement our processes across 7 core security areas.
Traffic Security
To help with web traffic security, there are various considerations:
Web Application Firewall (WAF)
Helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
Distributed denial of service (DDoS)
DDoS attacks are a subclass of denial of service (DoS) attacks. A DDoS attack involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a target website with fake traffic. This must be guarded against.
Hypertext transfer protocol secure (HTTPS)
HTTPS is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS uses an encryption protocol to encrypt communications. If a 3rd party sees traffic sent between your application and the web, the data will be encrypted and reading that data will be nearly impossible to do.
We implement traffic-based security measures using various tools. One popular system we use is Cloudflare. Their free tier should be enough for most clients, but upgrades are available.
Hosting Security
Where your application is hosted online, matters. We only work with certified and selected hosting partners, including:
Each hosting provider offers core security management services, including regular server-level maintenance and security patching. This is alongside robust user management functionality to restrict different users. We always look for hosts in our client’s country. This is important for data protection and GDPR rules.
Code Security
Code; and the frameworks that sit on top of the code, provide features to help with security. They can:
Prevent SQL Injection
SQL injections attack to exploit a vulnerability in databases. Frameworks have built-in features to prevent this and sanitise data from harmful characters.
Validate User Input
Checking what goes into the database will ensure data isn’t corrupted or compromised.
Protect against Cross-Site Request Forgery (CSRF)
CSFR is an attack that can trick users into performing unwanted actions. We can protect against CSRF by using tokens or hashes. Each request will have a unique value which you can ensure comes from your own application and not a 3rd party.
Encrypt Data
Data encryption is a process of transforming your data into an unreadable form. Frameworks can encrypt data using various methods. This protects sensitive data such as passwords, personal information and payment details.
Application Security
Increased security can be built in to help secure applications further. This includes:
Forcing secure passwords
Systems can require users to set passwords that have a minimum length or certain mixes of letters, symbols and numbers. This can help prevent brute force attacks and increase the time it takes for an algorithm to guess them.
Two-factor authentication (2FA)
Enabling 2FA helps security by adding an extra gateway to login. Adding this feature makes it harder for a hacker to compromise the system. The most common form of 2FA is the authentication app or getting a code via SMS.
Password Expiry
When a password is created, we can ensure it expires in 90 days, for example. On the 90th day, the user has to reset the password and cannot use the same one set before. This improves security if passwords are ever stolen.
Ongoing Security Monitoring
Security needs to be continuously reviewed and monitored. We do this in a number of ways:
Penetration Tests
3rd parties should conduct regular penetration tests to find and exploit any vulnerabilities. This simulated attack aims to identify any weak spots in a system’s defences that attackers could take advantage of.
After a test, a report is generated of anything that needs to be looked at in order of priority
- High
- Medium
- Low
Application Monitoring
We use software to monitor the application for errors. Errors must be reported and logged so they can be investigated and fixed. This system will send automated error reports which could be a security issue that needs immediate attention. That’s why a lot of clients choose our website support and maintenance services, so they don’t have to manage this (or the updates below) in-house.
Software Updates
All software requires regular updates. This might be new functionality or security patches. When you look after updates, you ensure good working order of the OS, codebase, framework, external libraries and hosting infrastructure. Technology providers have roadmaps which need to be planned and monitored so updates can be applied without affecting the application too much. They can sometimes take a while to apply. So, updates may need to be conducted out of hours or on certain dates. This needs to be planned and budgeted for. Working with someone like us can make this process simpler.
General Data Protection Regulation GDPR
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must ensure the information is: used fairly, lawfully and transparently. The majority of applications which offer booking or functionality to their customers online have to use the personal data of their customers. And the UK has specific laws on how this is to be used and processed. Information has to be:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up-to-date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
These measures ensure appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage. However, other rules need to be in place for data retention and acceptance by users of how that data is processed under GDPR. The rules for data retention differ from the type of data processing rules you’d address with a company policy or legal team.
We can help you to unpick DPA, GDPR and all your cybersecurity needs. Why not reach out to our helpful team today with your questions?
