With current news surrounding the Sony Pictures cyber-attack as well as recent memories of other 2014 vulnerabilities like CryptoWall and the POODLE/BEAST exploits, businesses are placing information security at a premium as the calendar turns to 2015. When exploring options for new IT solutions, businesses will be looking for solutions that not only perform well but help keep their companies safe and secure. So what does this emphasis on data security mean in the world of software design? For companies that develop software solutions for businesses, it means they must also place a high emphasis on security when designing solutions for their customers.
Wayne Rossi, Systems Architect at Miles Technologies, says that in order to successfully design secure software systems it is vital for a company to first create a set of Security Standards that all of its systems must adhere to. These standards will help guide developers in the building of systems, and also help assure clients that their solutions are being built with a focus on security. Rossi also says that since technology is always evolving, so too must these security standards. Research and development is a vital part of software design as a whole, and this is no different when it comes to application and web server security. Part of a development company’s security process should involve dedicating resources to staying up to date with the latest security standards.
A Process to Identify Secure Practices
One of the main challenges in security for software design is finding a happy medium between security and functionality. “It is important to find a balance between convenience and security,” says Rossi. “People want to be able to access data easily. It is up to developers to make sure employees have the minimum access required to be able to do their job.” Decisions regarding data access are very important for companies that regularly use sensitive data such as social security information, healthcare records or credit card information. Businesses want to ensure a potential security breach in an individual employee’s account will do the least amount of damage possible to the system or company as a whole.
Part of the process to identify secure practices also involves determining the unique business needs of the client for which the software system is being built. Some companies, for example, have certain minimum security standards they must meet in order maintain compliance with standards set forth by agencies or governing bodies such as HIPAA, PCI and the FDC. Extra security measures may also mean parts of the system will be less convenient for users and could come at a higher cost to develop. Businesses need to weigh their risks and determine whether a slightly higher up front cost is worth the potential to save money and be more secure in the long run.
Examples of Secure Practices
There are a number of different software design methods and techniques that developers can use to design systems that are both secure and functional. While many features are designed to improve the security of the system, they are not without their potential downsides. Some prominent examples of secure practices according to Rossi are:
Having links sent by email expire by a pre-determined date and time: This provides extra security for a software application or system in case a user’s email address is compromised. If a link contains access to sensitive data, it will likely come with a very short time of accessibility before it expires in order to minimize the opportunity to for it to fall into the wrong hands. The obvious downside is the user has a limited amount of time to easily access the information he or she needs before having to potentially go through the process of getting another link sent.
Storing cryptographic hashes of passwords instead of passwords themselves: Rather than storing actual passwords in a software system, developers have the option to just store the hash digest, which is extremely difficult to invert. This way, if a password file is compromised the attacker should not be able to have access to users’ actual password. The one downside to this method for users is that if they forget their passwords, they cannot be recovered. They can only be replaced with new ones.
Performing more logging: The more data and information that is logged, the more opportunities there are for proactive monitoring of security risks. There will also be more information available to analyze the causes of security issues that do arise. The potential downsides of this include the amount of time available for logging as well as the amount of storage space available to house the logged data.
Do not include ID’s in URLs: Utilizing an ID in a URL can leave a system vulnerable for security breaches. Rossi uses the example of an electronic invoice. If a customer gets a URL for an invoice that contains something along the lines of “ID=1215,” what is to stop them from typing different numbers instead of 1215 just to see what happens? An ID in a URL can inadvertentlyopen the door for sensitive data that is not meant to be seen by other parties.
Using a web vulnerability scanner to test applications: There are products in place, such as Acunetix, that will test the security of your system by mimicking the techniques that hackers will use to try and gain access. Based on their tests, these systems will identify any areas of the application that may be potential security vulnerabilities. Rossi recommends these a tool like Acunetix being used on every newly developed application as well as on system takeovers.
Rossi also says that in addition to taking secure practices themselves when it comes to software design, development companies also have the option of enhancing their applications with additional measures such as requiring an SSL behind all systems or utilizing a PCI compliant third party system for storing credit card information.
What are your top tips for information security and risk mitigation? Let us know in the comments below. We’re keen to hear your thoughts.