Cyber security should be a concern for both professionals and casual developers. There is often no place in any project budget for a dedicated security expert, so this burden often falls on the developer.
In such cases, it is convenient to have a list of the most common errors and weaknesses or a sudden slip. To this end, Mykola Mozgovy, Senior Software Developer at Sigma Software, has compiled a list of things to take care of.
What does the cyber security voucher contain?
Software security is conceptually different and therefore less intuitive compared to general functional requirements. However, security is an essential feature of software, especially when it comes to software-controlled devices that can affect the life and health of customers or systems that process personal data. While in most cases the desired behavior of the program is the primary goal, the main security concern is quite the opposite: what the program should not do, in other words, prevent unwanted behavior.
There are three primary software security features that we strive to prevent:
- Secrecy: means that sensitive information should not be left to unauthorized persons;
- integration: This means that unauthorized persons should not destroy the stored information;
- Availability: This means that the system must remain responsive to the requirements (as per the agreed terms).
Although intuitive availability is associated with protection against DoS attacks, it is not limited to it. Just consider the following issues:
- app upgrades
- regain possession of the IP address;
- domain renewal;
- Toggle certificates for encryption and authentication.
When these features are violated, the program is considered to have a security vulnerability.
A vulnerability is a critical software bug that can be exploited to achieve unwanted behavior. If the vulnerability is caused by a design error rather than a code, it is called a bug.
There are a number of common principles that you must follow when creating secure software. In general, these principles can be divided into the following categories:
- Prevention – complete elimination of errors; For example, it is possible to fix entire sets of errors by using memory-safe languages such as Java or C# instead of C/C++.
- Mitigation – reduce the damage caused by exploiting an unknown bug; For example, the corruption of a hacked database can be greatly reduced if the stored data is encrypted. Another example is blocking accounts with suspicious behavior that require additional confirmation for potentially malicious actions.
- Detection – recognizing and understanding the attack; Potential malicious acts must be reported as soon as possible. Real-time mass telemetry is very useful in this case.
- Recovery – Repair of damage: It is always necessary to keep backup copies of data and all other additional means available in case of emergency. In addition, it is very important to have procedures for recovering compressed user accounts.
The basic principles to be kept in mind when planning, implementing or maintaining programs are as follows:
- give preference to simplicity (prevention);
- give preference to simple design; “Keep it simple, you idiot,” is a well-known joke that is perfectly useful in this context. For example, think carefully when choosing between an old-fashioned monolith and the highly praised microservices. Always consider the facilities and experiences available.
- use safe default settings;
Never use default passwords, use industry standard encryption, prioritize blacklisting before blacklisting, etc.
- Don’t expect a professional user;
The more uncontrollable energy there is, the more likely it will be misused. For example, installing apps from untrusted sources on Android (APK files) requires explicitly enabling this feature in device settings, which is a reliable solution.
- give preference to a simple user interface;
Again, complexity is the enemy of security. The complex user interface increases the possibility of error on the part of the developer and the user.
- Avoid letting users make their own security decisions.
You should not assume that users understand encryption schemes or even the rules of safe web behavior, so do not allow them to choose dangerous encryption algorithms and keys or passwords.
- confidence in self-control (preventing / mitigating);
- use of a reliable small computer base;
The more components (hardware and software) your system consists of – the larger the area of attack. In this sense, every new platform it supports and every service that integrates with it should be considered a source of risk and danger.
- Avoid using your own encryption;
Cryptography is so self-evident that trying to implement aspects of it on your own is just a visualization, unless you’re an expert. The correct approach is to use open industry standard protocols and algorithms.
- minimum privileges for components and users;
Be careful when granting permissions to your app and users (even indirectly). Does your app really need access to the file system? Should database reads be performed under an account with higher privileges?
Do not provide your system with incorrectly formatted data. Clearly define and enforce valid data limits by listing them.
- privacy enhancement – restricting access to personal information;
The official definition of personal/private data may vary according to local law, and a common feature of private data is the direct or indirect possibility to identify the actual person to whom the data belongs.
- Segmentation – Use processes, containers, and sandboxes to isolate components or even individual processes from each other.
- deep defense
- Security depends on diversity (HTTPS + secure language + data encryption + VPN); Combine all the security mechanisms available to you. At the same time, forgo the use of tools beyond your competence and find an expert if necessary.
- use standard and open source solutions (avoid security due to ambiguity); Get rid of the idea that proprietary software or protocols (especially yours) provide any kind of protection on the grounds that no one knows it. Only publicly available and well-studied tools and protocols can claim to be safe.
- Monitoring and tracking
- a set of logs and telemetry; Remember to create alerts for dangerous/suspicious events.
- Make backup copies / screenshots. Keep them on separate servers and have mechanisms to restore them.
There are certainly more principles that are similar, but in most cases following these principles above is more than enough.
Safe development process
It is very common to address security issues interactively. However, in this way, it can become unsustainable and invite unpreparedness, which is a wrong approach. Safe development process means introducing the necessary activities and practices for each stage of development:
- determining security requirements; Abuse case – is the opposite of a use case (or functional requirement). You should clearly define what the system should not do.
- Defining the required security features of the system components (i.e. confidentiality, safety, and availability); Explicitly specify which parts of the stored data are confidential. Determine the roles in the system and the data to be processed. Edit availability requirements.
- Define security mechanisms to support these features (authentication, authorization, auditing); The presence of these three mechanisms is often considered the “gold standard for security”. A system cannot be considered secure if it does not have one of them.
- Define threat models. This means identifying the malicious actor and potential attack points (eg network traffic, local files, or even display data).
- Threat-based design (responding to predefined threat models in system design);
- Architectural risk analysis/assessment (identification of potential planning deficiencies);
- Use the safety principles defined above (prevent, mitigate, detect, and recover).
- Follow best practices and coding guidelines;
- Perform mandatory code reviews;
- Use automation tools to enforce the highest quality code.
- risk-based security tests; These tests focus on the most critical parts of the system that we identify through threat modeling.
- Penetration Tests Security experts play the role of the perpetrator in an attempt to bypass security mechanisms.
- Soft bubble testing Providing the system with random and garbled data often reveals undesirable behaviour.
Common design and implementation mistakes
When following a safe development process, always keep in mind the mistakes developers often make:
- Assume trust rather than explicitly giving it;
- Use a practical authentication mechanism;
- Empowerment without sufficient context;
- mixing data and control instructions; This is the source of the infamous SQL injections, XSS attacks, and remote code executions.
- Unverified data
- improper use of encryption;
- Failed to identify sensitive data;
- integration of external components without taking into account the attacking surface;
- Strictly restrict future changes to objects and actors.
OWASP and the 10 most common vulnerabilities
The Open Web Application Security Project is a nonprofit organization focused on improving software security and an excellent resource and guide to cybersecurity. They provide useful instructions and plugins for popular development platforms such as .NET and Java. OWASP is known for its lists of the most common vulnerabilities in various fields:
It is very important to be well aware of the weaknesses that you will encounter in your field. Better a poor horse than no horse at all.
Pay attention to security concerns immediately, and do not dare to put them off until the bitter end. Plan and carry out the activities necessary through each stage of development to keep your customers safe and your reputation unquestioned. I hope you find this article helpful, but keep in mind that this is just a general cybersecurity gaffe. If you want to become a competent security specialist, a lot of learning and practice awaits you.
Invest your time and resources in attending different courses or obtaining certificates specific to the field you are interested in. s
Sigma Software offers over 60 remote jobs.
Join the #StandWithUkraine movement and be part of a powerful global tech team.
Author: Mykola Mozgovy, Senior Software Developer at Sigma Software