Make Business Apps Safe Again

Posted by Jeff Pelliccio on Sep 24, 2018 9:00:00 AM

In ICS insights, hiring trends, IT, client

With all the focus put on application security failures, the occurrence of security fails should be next to zero. The Open Web Application Security Project has been up and running for 16 years old, and dynamic application security testing tools have been widely touted for just as long. So, how are breaches still common news items? In 2018, there was even a serious breach that impacted our military. Government and military employees and buildings and bases they worked at were tagged via GPS data shared when they integrated fitness trackers and the Strava fitness app.

Financial services and other industries have to remain vigilant about their application security. It's no longer a choice to download a solution and forget about it. Protective technology has to be as dynamic as the bad actors working to foil it. It doesn't help that bugs and flaws are constantly found when hackers step up to exploit them.

The best way to keep systems secure is a multi-pronged approach involving developer, implementation experts, and the application users. It's important to instill in developers that they have a mandate to create and build secure applications. Those who implement the software should choose applications vetted out to ensure they meet minimum security standards and work as intended. In their personal life, users have to remain vigilant and avoid applications that violate their privacy rights.

The Strava Heat Map Case

The Strava case represented a breakdown in all three areas of responsibilities just discussed. First, Strava made a few mistakes, including anonymous sharing of GPS data with an opt-out process that was painful. The easy fix would have been to set this privacy-impacting feature to require an opt-in instead of turning it on by default. They could also have blacked out military bases in their maps like the way Google Maps does.

In the scenario above, the military acts as an enterprise that failed to protect users from inadvertently throwing away their privacy. Lack of user education prevented consumers from making crucial decisions about sharing their data. With no guardrails, the Strava users went careening off the cliff and spewed their data into cyberspace from 2013 to 2015. Even the Chinese military recognized the threat of GPS data and fitness trackers among active servicemen and women and banned the devices in 2015. 

Let's consider the users. These soldiers know that their profession relies on preserving national security. However, when it comes to personal security, they seem to have thrown caution to the wind in order to enjoy social networking. Even more surprising, many of the cyclists and joggers who used Strava work in IT security positions that assess apps for threats.

 Let's see what might have worked better in each area.

How Developers Can Design More Secure Apps 

Here are several ways developers can design more secure applications:

  1. Security by design. Awareness is a great tool in designing secure applications. Using threat modeling helps you make sure you start with secure software from the very beginning. Ask yourself how you would break into the software if you were a hacker and implement safeguards against threats. Then, consider how a hacker could take away your privacy as a user, such as by providing your location information with third parties. Partner with your company's security team, especially if there are offensive security members on staff. If anyone can break into your app, it's these folks, so let them have at it and address risks that are uncovered.

  2. Don't hardcode passwords or other secure information in your coding. API tokens, passwords, access to servers and other secrets should not be available in any plain text in your source code or configuration text files. Instead, implement single sign-on and the more secure multi-factor authentication. Secret information and sensitive data should be passed only through industry-standard encryption, and you should limit access to systems on the back-end by applying the least privilege needed.

  3. Security needs to be part of the user experience. The Digital Identity Guidelines in 2017 suggest getting rid of password complexity, history and rotation rules. Instead, the National Institute of Standards and Technology guidelines suggest a comprehensive planning strategy that replaces this system. One example that accomplishes this involves user interface upgrades that guide users to a long and complex password. Directions would include a minimum of 20 characters and four sections of five characters with fewer than two that repeat. Coding that manages passwords easily is also recommended. Allow users to integrate password managers that prevent reuse and encourage complex passwords.

How Implementers Can Boost App Security

Implementers have their own responsibility to contribute to enterprise-level app security:

  1. Implement solutions that proactively protect data and user privacy. If the solution glosses over multi-factor authentication, it must support Security Assertion Markup Language, which makes it compatible with an identity platform that does support multi-factor authentication.

  2. Choose solutions that demonstrate robust application security. To verify, penetration testing should be performed prior to buying a software solution. In lieu of testing this in-house, you can ask for test results or other evidence that the solution passes security muster.

  3. Monitor applications for attacks and misuse. You can't just measure performance and availability. Make sure your users understand how to use applications securely.

These steps are the minimum you can do to improve the security of in-house applications or products purchased for modification. Now let's look at how users can contribute to secure applications.

Users' Role in Keeping Data Secure

Application users have to take steps to make sure their data stays secure by following these guidelines:

  1. Defend their privacy outside of the enterprise. Users should review application privacy and security settings often. In the office, they should take advantage of available security features, such as multi-factor authentication and let the technical staff know if there is a security concern.

  2. Use strong, secure passwords. Passwords shouldn't be re-used online. Instead, a password manager lets users securely manage passwords and other secrets.

  3. Caution is required when applications are used on open wireless networks. In the case of software that doesn't have secure transport, your information can be sent as cleartext.

When all parties share responsibility for security, enterprise solutions become much more reliably secure. Security professionals are not the only ones who can learn from the headlines. Reading about the misdeeds of others should spur developers and users to safeguard their privacy and the sensitivity of their data.

The guidance provided here is an important first step. However, you can find many resources by searching online. Do your part to make and keep business applications more secure today. When your firm maintains its secrets and the privacy of its employees, you'll be glad you did.

Start to Change

If you're looking for a team to keep your business app safe, contact ICS. We have plenty of candidates ready to make a positive impact on your company. Click below to partner with us and get started towards a safer future. 

Find Talent NOW