Smart devices are big business. Technologists and innovators are consistently striving to come up with exciting products to fulfill the relentless demand in the market. Today, virtually all consumer electronics can be made intelligent enough to connect to each other and the internet, creating a vast spectrum of possibilities in which they can serve their owners.
As the channels through which modern gadgets interact with and accept commands from humans, apps have garnered as much, if not more success than the devices themselves. Thanks to applications, smartphone users can use their pocket devices for work, play and anything in between, businesses can deploy an app to easily market and sell their products, drivers can get around using their vehicles’ intelligent navigation systems, and a watch can collect and give its wearer health-related data like their heart-rate and the calories they burn in a day.
That said, the ongoing application boom has brought about dire concerns in the tech community. While smart devices are significantly improving the quality of life, they’re also expanding the playing field for cybercriminals. Mobile phones, for instance, are the gadget of choice for many when it comes to browsing the Web, connecting with friends and shopping. If a hacker manages to compromise any one of the many apps running on a smartphone, they can potentially gain access to the owner’s address, contact, and banking information, not to mention control over other gadgets that connect to the phone like computers and home security cameras.
It is therefore crucial for all businesses to ensure that their apps follow the right policies that guarantee top-notch security at all times. The practices below will go a long way into ensuring that the applications you have is secure.
1. The OWASP Top Ten Awareness Document
If you’re not aware of the OWASP Top Ten, it is an authoritative compilation of security risks that are critical to applications, as identified and agreed upon by project experts from around the world. The document cuts through various confidentiality and integrity concerns, including injection attacks, authentication and session management, data leaks, and security misconfiguration.
The OWASP (Open Web Application Security Project), an organization that provides unbiased and practical information about computer and internet applications, urges everyone in the app development industry to adopt the document as a guide to dealing with some the most common security risks. By being aware of it, the applications you have will stand a much better chance of not being breached.
Encryption is among the most effective protective measures you can employ to keep your app safe. It uses algorithms to turn plain strings of data into unreadable jumbled code that can only be translated using a unique encryption key.
HTTPS is your first option when it comes to encrypting your app. Designed to ensure secure communication over computer networks and the Internet, HTTPS implements Transport Layer Security (TLS), a cryptographic protocol that guarantees data integrity and privacy between an application and its server. Unlike the unprotected HTTP, therefore, HTTPS prevents attackers from intercepting and modifying data traffic.
It is also essential to encrypt data that is at rest. While HTTPS minimizes the risk of Man in the Middle (MITM) attacks, a direct attack on the server or the app through other means can be catastrophic. Therefore, endeavor to encrypt every single piece of data, including the app’s source code using cryptographic techniques like 256-bit AES encryption and SHA-256.
3. Proper Logging
Bugs are hardly ever realized until an app is finished and functional, and even then, they may not be severe enough to warrant immediate attention. However, an undetected or ignored flaw could be a potential opportunity for a hacker, and you might not be able to address the situation until it’s too late.
Robust logging infrastructure can provide quick information in the event of a breach, which means you’ll instantly identify the problematic bug and what was going on at the time of the attack, and you will begin to handle the event as soon as possible.
To implement proper logging, start by instrumenting your application. You can use any one of the many tools and services available for developers, such as Blackfire, NewRelic, and Tideways, depending on your programming language. Then, set up a quick-parsing solution, which will quickly and efficiently compile error information when the time comes. The Linux Syslog, ELK stack, and PaperTrail are useful utilities that can come in handy.
4. Real-time Security Monitoring
Your strategy to ensure the highest level of app security would be incomplete without considering a firewall. Firewalls are a critical line of defense against breaches. In particular, web application firewalls, or WAFs, are designed for HTTP/S-based applications to protect servers from common attacks like cross-site scripting (XSS) and SQL injection. A WAF can inspect traffic analogous to a conversation, and that means you can configure it to the needs of your application.
However, WAFs have a few downsides, most notably their inability to relate a present packet to the packet they receive in the past or future. Therefore, you won’t be able to use firewall activity to detect multiple attack attempts.
For comprehensive real-time monitoring, it is good practice to supplement a firewall with Runtime Application Self-protection (RASP) solutions. RASP sits inside an application’s runtime environment, be it Ruby, JVM, or .NET. It is therefore close enough to monitor vast amounts of information about an event in progress.
5. App Security Audits
New developers tend to be very keen about security when they’re making their apps for the first time. As they gather experience, however, they become confident in their abilities, so much so that they’re unable to critique themselves objectively.
If you’ve been in the development game for a while, you may not be able to notice a mistake when you’re reviewing your work. A professional security auditor, on the other hand, will look at your application from an independent perspective and can point out shortcomings that you might not have discovered otherwise. Moreover, auditors are typically abreast of current security issues and will know what to look for, from the obvious to the hidden threats. They can, therefore, quicken your application building process significantly.
New vulnerabilities crop up all the time, and that means the operating systems, server packages, application frameworks, and libraries you have today may not be secure tomorrow. If you’re using adequately supported tools, they will be frequently patched and improved to stay ahead of new threats. Always make sure you’re using the latest stable versions available.
Depending on your preferences, you can choose to automate updates or review and approve them manually. Most development packages and languages have update managers that make it relatively painless to keep them up to date.
7. What about Decentralized Applications (Dapps)
Data from Cisco’s annual report on cybersecurity for 2017 indicates that 20% of organizations surveyed had significant breaches within the past year that resulted in opportunity and revenue losses. Additionally, the recent Equifax data breach shows the danger of putting all critical identity information under one centralized authority. The breach is now considered among the most serious breaches as attackers have gotten hold of names, addresses, and even social security numbers all of which can be used to commit identity fraud.
Enterprises have become prime targets due to the customer and payment information that they collect from transactions. Threats are also becoming more widespread and complex. Distributed denial of service (DDoS) attacks are not just used to disrupt services but to mask other attacks such as data breaches and malware implantation. The rise in adoption of cloud services also added more complexity to infrastructure which increases vulnerabilities to attacks. Social engineering attacks such as phishing and email spam continue to exploit human vulnerabilities.
DDoS continues to be a major concern for businesses today particularly those that rely on uptime such as content services and ecommerce. Such attacks can be easily launched by malicious actors who rent botnets to carry out DDoS on any target. In 2016, a record-breaking DDoS attack on DNS service Dyn caused a major outage that affected other services like Netflix, Twitter, and CNN.
Cybersecurity companies haven’t been remiss in coping with these evolving threats. Data from Gartner, Inc. showed that worldwide spending on information security products and services reached $86.4 billion in 2017, an increase of 7% over 2016, with spending expected to grow to $93 billion in 2018. Despite this, many companies appear to be underspending and committing meager resources to protect themselves from attacks. This can be understandable to an extent. Security services, especially top tier ones, aren’t exactly cheap. Small to medium enterprises (SMEs) often have to get by using a patchwork of solutions that may still have vulnerabilities.
Blockchain ventures seek to change this; the technology has the potential to disrupt cybersecurity with new approaches to protection and costs. New solutions are emerging which leverage blockchain’s features for cybersecurity use. For instance, decentralized applications (dapps) which are based on blockchain’s distributed network are set to revolutionize the cybersecurity playing field.
Dapps create an innovative open-source software ecosystem, both secure and easy, in which to develop new online tools. Dapps will be more secure because decentralization will make hacking and fraud less prevalent because data stored on the blockchain cannot be altered and changed at a later date. These features will lead various industries to utilize the technology for practices where security is paramount; and that’s why services such as DAPP BUILDER are hoping to offer a platform that allows others to build and distribute decentralized applications.
This means that instead of relying on a centralized authority, records such as DNS information can be fully decentralized and stored securely over the blockchain.
8. Continuous Learning
In addition to keeping your app-making ecosystem updated, you should also work to keep up with the latest trends in application security. Given the numerous attack vectors in play today – cross-site scripting, SQL injection, code injection, and insecure direct object references, to make a few – it can be challenging to stay aware of everything.
Nevertheless, if you want to build secure applications, you cannot afford to be ignorant. The good news is that the Internet is swarming with information sources, which you can make use of to remain vigilant. Blogs like Krebs on Security and Dark Reading, along with Podcasts like Crypto-Gram Security and Risky Business will keep you well informed on what is happening in the global app-security scene.
Smart devices and applications are increasingly becoming a significant part of everyday life. But as the use-cases multiply, so does the concerns about security. As an app developer, you should strive to deploy applications that fulfill the safety expectations of their users. While there’s more to security than these eight practices, they’re an excellent place to start your journey towards building/deploying secure apps.