Security Testing: How to Avoid Data Breaches and Lawsuits
App security is moving up the agenda for development teams this fall. In case you aren’t aware, Apple has set a deadline of the end of this year for the App Transport Security encryption protocol to be in place. As of the first of January 2017, Apple will no longer support non-HTTPS apps.
Yet encryption’s just one aspect of app security. Security scare stories and cautionary tales circulate widely. I don’t need to tell you how data security vulnerabilities in an enterprise can kill share price, reputation and brand equity in the event of a breach. How can we ensure we build secure apps? As much as I could launch into a personal manifesto on the importance of building security into the dev process, the truth is that app security is highly interlinked with everything the app touches. So if you’re about to develop an app for your business, here are ten security considerations that you need to bear in mind.
1. Involve the security team – Whether the initial planning and development is being carried out in-house or by an app development partner, bring your security team into the discussion. Firstly, they can set out the standards to which developers need to adhere. Secondly, they can advise on defining the app security architecture and design features. Don’t forget to ensure they’re part of subsequent sprint reviews.
2. Secure-as-you-code – Building in security at the development phase makes good sense. It’s much harder to fix flaws at later stages of the process; it costs a lot more in money as well as resources. Agile methodologies will help you here. Writing good security code as you go along lends itself to the Agile way of doing things, and will complement your efforts to drive CI/CD too.
3. Coach and mentor – Small, focused development teams, another favorite among Agile practitioners, also suit the transfer of security knowledge. Just as you’d cross-train team members for other disciplines, remember to pair more advanced security coders with less experienced ones, spreading good security practices throughout the SDLC.
4. Make it personal – Try to ensure your developers have a vested interest in writing more secure code by making company security standards less like edicts handed down from on high, and more like tools that will improve the way they code. I’ve seen this done by introducing a little bit of competition between teams, but if that approach isn’t right for you, how about implementing a system of shared, standard libraries that are maintained for all to use? It’s a relatively small move but one that helps solve common security problems for developers.
5. Use code scanners – App code scanning technologies abound and are to be recommended. A note of caution: these tools aren’t a substitute for a solid security plan that’s implemented and tested throughout the dev process. Use them in conjunction with other measures.
6. Use white hat hackers – You can learn a lot about your apps’ vulnerabilities, indeed your whole enterprise IT architecture, from planned penetration testing exercises.
7. Learn, re-learn and remain vigilant – How seriously developers take security is a function of how seriously it’s treated in the company. Facilitate learning wherever possible among your own team, stay abreast of the latest threats and look for solid security credentials in your app dev partner. Clients expect us to have deep technology expertise depending on the architecture or tool in question. Part and parcel of that deep understanding is mitigating the security vulnerabilities inherent in a specific area.
8. Code reviews – We’re used to code reviews more generally, but make them specific to security. Security-related code (authentication, encryption, etc.) should be reviewed as a minimum. Next, pay attention to other app functions and processes that could inadvertently introduce security weaknesses into the app.
9. Regular training – Enterprises that invest in good developer security training will reap the rewards in terms of better code and quicker fixes. Don’t let security training be something that just happens when new developers come on-board. Demonstrate how important security is by mandating regular sessions for team members and consider extending them to your app development partner.
10. When bad things happen to good apps – Enterprise security used to be about guarding the perimeter and “keeping the bad guys out”. Now we understand it’s more to do with how information flows through the organization, who has access to it, who controls that access and so on. A large proportion of breaches happen from within organizations, and most involve compromised admin credentials. Unless solid identity and access management is in place in the organization, good app security cannot be assured. There’s no point bolting a basically good app on to a vulnerable structure and hoping for the best.
If there are any aspects of your app’s development and testing you’d like to discuss in more depth, please get in touch