Long gone are the days when you can respond to an app security breach by patching and praying. Cyber-attacks, leaks, and service disruptions are almost normal in this day and age, with even tech giants like Facebook and Google suffering their fair share of cyber woes. The bottom line is that attacks and disruptions happen worldwide. And they’re only getting more sophisticated—exemplified by a rise in supply chain attacks, spear phishing, and ransomware to name a few.
While there’s no magical solution to running software securely, companies can take actionable steps to minimize risk. As a highly-innovative software engineering company with an array of customers in the healthcare and aerospace industry, we know a thing or two about software security. Our team at Mobile Jazz has spent the last decade fine-tuning software security practices, helping mission-critical brands like the Australian Royal Air Force and Clip Health with their software development. The result? We’ve gained some incredible insights we’d like to share.
Hang around as we guide you through our four tried and tested ways to secure software. By the end of this article, you’ll have a crystal clear understanding of what it takes to ensure your company doesn’t end up in the throes of a cyber attack.
How The Heck Do Cyber Attacks Happen?
These days, too many applications are wide open, unknowingly inviting themselves to get hacked. Here are a few reasons why companies experience cyber attacks:
Poor personal security: The personnel with access to privileged parts of the application, such as its administration portal, might be infected with viruses or employ weak passwords.
Insecure engineering: Security best practices might not be taken into account during the engineering process.
Haste to release: Sometimes the engineering process is well designed around security, but as software development timelines shrink, developers are under the pump to roll out new features quickly. Their managers might not be aware or even care too much about the security aspects of the development, or the security will be left to be fixed “later”. As a result, attention to security requirements and quality assurance can suffer.
Zero maintenance: Once an application is released, the team moves to the next thing, and no further maintenance is done, neglecting the security updates published by the vendors of the libraries and other software used.
Lack of monitoring: Once the application is deployed, nobody is in charge of monitoring performance, checking the logs for breach attempts or other indicators that the application might be underperforming.
In the worst-case scenario, a data breach can have devastating consequences on a company’s reputation and financial bottom line. That’s why it’s all the more important to treat software security as a non-negotiable package of development.
Four Ways We Keep Our Software Secure
As a software development agency, we’re a tight-knit community of specialists with a focused security team in place to handle concerns that may crop up at any stage of the software development process. Thankfully, we’ve also adopted application security best practices and have included them in our software development life cycle. Ultimately, we do four things that have to this day kept our clients’ software safe and secure (knock on wood).
Let’s see what these are all about.
1. Building secure software
Our team has developed secure programming principles and optimal cryptographic practices to get the ball rolling.
For every new project, we implement company-wide security standards, which consists of the following:
- Selecting appropriate cryptographic algorithms to encrypt sensitive data
- Ensuring secure connections are set up and running smoothly at all times
- Having HTTPS connections and an updated TLS version from the get-go
- Checking whether off-site encrypted backups have been rolled out
- Updating all projects libraries and dependencies once per month at least
- Safely storing all credentials
- Reviewing and updating weak passwords accordingly
- Conducting client-side input validation
- Preventing cross-site scripting and file injections
After setting up the foundations, we run an audit once per year to ensure that everything set up is still being maintained. If it isn’t, we improve, update, and build upon our list. The ultimate goal here is to never let our security standards drop. On top of monitoring security events and reviewing what’s happening in the security space, our team also undergoes yearly training, where we learn about the best secure programming techniques based on the Open Web Application Security Project (OWASP) top 10 model.
2. Continuous improvement of software
Monitoring software might seem like a chore, but it’s vital in ensuring your software continues to be safe and sound.
We do the following:
- Verify that we’re using up-to-date certificates and automate processes to replace certificates when they expire.
- Analyze apps and third-party services used, and their security posture.
- Perform vulnerability management on libraries and servers, and apply the vendor-approved patches at least once per month.
- Run separate test and production environments, and avoid applying live updates to our software, which can negatively impact the business or product.
- Validate and test the code extensively before it’s publicly released.
- Conduct automated testing in the CI, including unit testing, integration testing, and screenshot testing.
- Perform code reviews with the team to spot potential issues or deviations from best practices.
- Plan for upcoming changes to the software and their implication in confidentiality and stability of the platform.
3. Embracing personal and company level security
Let’s face it; nothing is ever unhackable, and even with the best technology, the people who run it can be targeted too.
- Managing passwords securely: we use password managers to store our credentials safely and only use strong passwords.
- Choosing secure suppliers: we only pick the best suppliers with the highest standards.
- Keeping access restricted: we have strict control over who has permission to access our services and database.
- Hosting security awareness sessions: we run yearly training and perform random checks every now and again to ensure all team members meet our safety standards.
- Running client safety briefs: we share best practices and personal safety mistakes to avoid situations like having a weak password or sharing it over email.
- Sharing sensitive information safely: we use reliable tools when sharing information like password managers (some allow for sharing credentials within a team if necessary) like 1Password, Bitwarden, KeePass, and tools to share secrets like One Time Secret, Bitwarden Send, and Saltify.
4. Reacting to incidents quickly
Despite adopting high-security standards, no software is 100% secure. While, thankfully, our clients have never encountered a security breach with us, we do have a best-effort approach when it comes to security practices. How you respond to threats and take action makes a difference between your product getting dismantled and surviving.
We immediately inform our clients if a severe issue crops up throughout a project’s lifespan. Our specialists then dive in, investigating and mitigating the matter as soon as possible. Afterward, we share our learnings and actionable items to prevent the problem from happening again in the future.
Aside from this, we’ve also created a concept called Harmony, which is a framework that unifies all our working methodologies. Our systems are configured using common patterns and guidelines, making it familiar for anyone in the company even if they have never worked on the project before. Furthermore, learnings from one project can be applied to others.
In a nutshell, this is what you can expect from us:
- All hands on deck to solve a potential emergency.
- We apply learnings from one project to another.
- Transparency in communicating incidents and follow-ups.
To Wrap Up
Rather than treating software as a plug-and-play product, software should be tended to just like a well-groomed engine. It’s a journey that never ends and one that requires time, resources, and a concerted team effort to ensure security best practices are adopted company-wide. Speaking from experience, we can guarantee you that by integrating software security holistically across your company, your team will be best placed to prevent security incidents in the first place, and react if a security breach does occur. That’s got to be worth something.
If you’re ready to take your software security game to the next level, follow these simple but effective tips, and you’ll be just fine.
- Think about security from the get-go
- Adopt an organization-wide principle that takes into account security
- Invest in security training
- Always recognize and respond to security trends
- Focus on protecting your software supply chain
- Stay on top of your patching
- Encrypt, encrypt, encrypt (and use strong passwords!)
- Be ready to mitigate vulnerabilities quickly
Oh and one more thing: If you’re after high-security standards like ISO 27001, PCI, GDPR, or HIPAA compliance, we’re a good technology friend to partner with. Why? Simply put, we’ve worked with these certifications before and have a solid grasp of what they’re about. Reach out for more info.
Talk to Us
We’re an Innovation Agency made up of highly skilled software engineers and designers who build forward-thinking software solutions for companies in need—all while having fun doing it.
How does it work? It’s pretty simple. Clients approach us because they have a vision or an idea of what their product could look like. We help turn their bold concepts into a successful reality.
Want to rest easy knowing your software is in safe hands? Drop us a line!