We all remember the infamous security breach announcement by Yahoo when it said that 3 billion users’ accounts were affected in a cyber-attack in 2013. The report put the company at the top of the list of massive security breaches. The year 2017 was marked with such news in a broader way. In August, Equifax, a credit rating agency, revealed a data breach that affected 143 million people. According to a security firm, Gemalto, around 2 billion records were stolen globally in the first half of 2017.
Such security breaches will continue to occur because recently hacking tools used by the government were leaked online, making it easier for hackers to introduce malware and steal data from companies. According to the CyberSecurity ventures report, the world will have to suffer a loss of $6 trillion annually by 2021 owing to cybercrime, which is even more than the damage caused by the global trade of illegal drugs.
These daunting figures show why it is essential to secure any kind of software before launch. Here are five tips to build a solution with security in mind:
1. Prevent SQL injection
SQL injection is one of the top vulnerabilities of OWASP Top 10 Web Application Vulnerabilities list. OWASP Mobile Security Project was started with the intent to provide developers with some common factors that threaten the security of a web application. SQL injection is quite common and occurs when an untrusted source enters data in the application. Common entry points include shopping carts, sign-up forms, and login forms.
SQL injection is common because SQL is a universal language used by all databases and it does not require much expertise. SQL injection allows hackers to change existing data. A hacker can also disclose and destroy all data or even worse can become an administrator of a server. Developers can prevent SQL injection through Query Parametrization, in which a server processes a request before executing it so that it knows what type of a query it is.
2. Encrypt everything
Encryption is the most critical step in securing an app. In 2014, hackers attacked eBay and stole information from 100 eBay employees. This way the hackers got access to the company’s internal network from where they took data of around 145 million customers. What’s interesting is that the hackers tampered with eBay’s systems for 229 days without the company noticing.
Such cases happen in the case of low-quality encryption. Attackers can install stolen certificates that allow them to hide. These rogue certificates go undetected when HTTPS solutions cannot access all keys and certificates.
LinkedIn also got complacent with its mobile application. When the company introduced the new calendar integration feature, it transferred local calendar data to LinkedIn servers openly on the internet, and it was readily available to anyone looking for it
See to it that your application is encrypted, make sure that all the communication between the software and the servers are done via HTTPS connections.
3. Ensure password security
Password security is of utmost importance in any application development. Adobe 2013 data security breach is famous because the company did not store passwords securely. Often, applications make the mistake of storing passwords unencrypted, which makes them more vulnerable to attacks.
Thus, you should secure passwords in such a way that they are not recoverable from the database. To secure passwords in the true sense, you can use a cryptographic hash, which is designed to resist any attempts by mixing and shredding inputs. Also, you can use a strategy called ‘hash and salt,’ whereby the hash from each password is mixed with some random addition called salt.
4. Implement multifactor authentication
Using just passwords for authentication is becoming obsolete as the world is moving towards multifactor authentication. A lot of websites and apps like some from Google and Apple today offer multifactor authentication. The importance of multifactor authentication was made clear by the payment app, Venmo, and their security breach incident. Venmo’s client, Griswold’s account was compromised, and he got to know when only $3000 was left in it. Although it was not clear how the attacker gained access to his account, Venmo was criticized because it does not support two-factor authentication.
The most common form of two-factor authentication is through apps. However, it is less secure. Recently, Twitter updated its platform security by allowing users to implement third-party authentication. Twitter users can now use third-party apps such as Google Authenticator for verification.
5. Conduct a security audit
So, you think you have done everything to secure your application, and it is immune to any attack? Think again. You may have also tested and re-tested your software, but it does not guarantee that your security is bulletproof. This is because developers write the code themselves, which makes it easier for them to neglect or overlook specific factors. This is why it is necessary to have your solution looked at from a different perspective.
To conduct a successful audit, you first need to make sure what your requirements are. Also, you need to identify the type of risks your application might be vulnerable to so that appropriate tests can be designed. You can also use automated tools for the job. These tools reduce the costs dramatically and increase the coverage scope.
Summary
As the world becomes increasingly connected and our reliance on software solutions increases, the importance of security cannot be overemphasized. Moreover, with cybercrimes on the rise, it has become impossible for any web application to survive, especially the ones that involve payment systems such as PayPal, AliPay, or Venmo. Cybersecurity is becoming more challenging with each passing day because hackers are getting smarter and more sophisticated. Blackhats are often ahead of security Whitehats.
It only takes an experienced hacker 10 minutes to crack a six-character password, depending on its complexity. Alarming, isn’t it? These cyber thefts make a lot of money doing what they do and are not stopping anytime soon.
With a plethora of options available on the market and low costs associated with switching, customers do not hesitate before selecting another solution instead of yours. Once the reputation is tarnished, it is difficult to recover from that.
This guest article has been contributed by Ashley Rosa. She is a freelance writer and blogger. As writing is her passion that why she loves to write articles related to the latest trends in technology and sometimes on health-tech as well. She is crazy about chocolates.
Photo credit: Mark Hawkins / Development Seed
Source: Seena Gressin (FTC), Cybersecurity Ventures, Gordon Kelly (Forbes)
