If you are an entrepreneur or you want to build a digital product, you’re probably looking to expand your knowledge about security practices in application development.
This guide is a comprehensive overview of the key areas of security as it pertains to app development, with an emphasis on web development services. We will present how a good software development company should help you in providing the security of your product.
Authors: Łukasz Głuszek (Senior Frontend Developer), Maciej Markiewicz (Security Practice Expert & Team Leader)
Tech reviewer: Michał Remisz (QA)
Let’s first consider the question why security is important and have a look at the most popular misconceptions related to app security.
Why does app security matter?
There are three main reasons why you should make security your top priority.
The first one is that solid security practices keep your data safe. But why is this such a big deal, in concrete terms?
One factor to consider are the penalties that your business may incur if a data leak occurs, causing a legal infraction or non-compliance with an industry certification.
Think about all the legislation surrounding data handling, such as the GDPR (General Data Protection Regulation) in the European Union, HIPAA (Health Insurance Portability and Accountability Act) in the US, and PCI DSS (Payment Card Industry Data Security Standard) globally. Falling out of line with any of those can cost you a lot – and not just in terms of money.
Besides potential penalties imposed by a government or a certification body (along with the inevitable legal costs that your business will have to cover to go through the proceedings), there are also other painful consequences to not ensuring app security. One is that you may simply lose access to it, setting back your business.
Another is that malicious actors, your competitors, or any combination of these, will get their hands on proprietary information and use it against you, blackmail you, or simply get ahead thanks to it.
Then there is reputational damage. You probably wouldn’t trust a company or an app that’s well-known for its security failings – and neither would most people. Modern consumers care deeply about the safety of their personal information and they will definitely not be interested in doing business with someone who they can’t trust with it.
Finally, there’s another practical benefit to staying secure: Google rankings. If your company or app doesn’t show up on the first page of the search results, very few people will find it. As it happens, Google rankings dock you points for not following best safety practices (namely not using TLS/SSL, which are used to encrypt traffic and cryptographically prove that your website belongs to you).
To put it simply: not following security practices can be extremely costly, but adhering to them has real, tangible benefits besides risk mitigation.
The security arms race
Security is never absolute – think of it more like an arms race or ongoing market competition. The good guys keep on improving application security, but the bad guys keep finding new vulnerabilities and building new tools to exploit them. They also never stop using the old techniques and applying them in different combinations, making application security that much more difficult.
This means that there is no such thing as a be-all and end-all security solution. Everything that security specialists do is about reducing risks, but there is never a one hundred percent guarantee that no one will get through your defences.
This brings us right to security misconceptions. We already alluded to the first one in the previous paragraph, but it bears repeating: no application is one hundred percent secure at any moment. The best you can say is that it follows best practices and standards. There are no definite assurances, only reasonable confidence.
Security is not just about things like setting difficult password requirements. There is an infinite number of possible attacks, as well as a huge number of security requirements. These are related to numerous areas: from authentication and authorization through database security to things like physical security (for example, making sure that the physical servers your application lives on cannot be easily accessed by an intruder).
Another thing to remember is that no application is safe from harm. The fact that an app is not popular, or that it doesn’t have an eye-catching design, or that it doesn’t process sensitive data, or that it hasn’t been updated in years doesn’t mean that someone won’t try to get in anyway.
Think about this: breaking into a smaller app can also be a large pain for the end user, for example if they use the same password for the hacked unpopular app and a different, more sensitive service. As a result, catching the small fish directly enables the hacker to go for the big one.
If you’re worried about something like that happening to you, consider visiting haveibeenpwned.com – a service that contains a continuously updated list of breaches and allows you to verify whether your email and password were leaked from a website you use.
Security: the challenges
The way to go about ensuring application security is far from obvious.
There are many security guidelines available (more about these later) and it definitely is a good idea to follow them, but they are useless if you do not introduce the right processes in your organization. You have to monitor your application’s security at every stage, from development to sunsetting.
Also remember that guidelines are not a silver bullet. Having a guideline is one thing; making sure that every attack vector is considered and secured is another.
There’s also the fact that the number of potential threats is always increasing – new vulnerabilities crop up as technology progresses, so you can’t really just “do” security once and be done with it. It really does have to be an ongoing, integral part of your application development lifecycle.
It is important to educate customers – whether internal or external – about the value of increasing security.
Making sure that people understand the risks involved and the things they can do to increase security (things like two-factor authentication, not reusing passwords, and being vigilant about phishing attacks) is a good step towards ensuring a security culture in your organization.
Software development companies have to make security a priority. This means that it’s about more than just declarations: software engineers not only have to be vaguely aware of the question of security, but also continuously trained in modern practices and technologies. It’s also necessary to make sure that the company has processes in place to enforce and audit security – otherwise all the effort is wasted.
How good developers can ensure that your product is secure
Hopefully, we have made it clear that security ought to be an integral part of the application software development process. But how specifically will a good web development company ensure that your product is secure? We have a short list of things you should watch out for.
- First, a good developer will take the responsibility for ensuring security and will never release a product that they consider insecure.
- Second, they will hone their skills and upgrade their knowledge, for example, by participating in trainings and meetups concerning security.
- Third, they will share their knowledge about security – securing applications is as much about good practices as it is about awareness.
- Fourth, they will come forward with their own suggestions to introduce better security practices and technologies to the product.
- Fifth, they will treat security as a priority, not just a time sink that takes them away from other tasks they need to accomplish as part of the development process.
- Sixth, they have a good understanding of potential risks and proactively ensure that the right processes are in place within their project team.
- Seventh, a good, security-aware developer knows that security audits are only one way of ensuring security, and they are hardly sufficient – as we’ve said many times over, security is a process. Finally, a good developer follows external guidelines, such as OWASP’s ASVS, OTG or MSTG – more about these later.
Why is it crucial to do tests and ensure security at the app maintenance stage?
As we’ve said multiple times over the course of this article, maintaining security is a process, not a one-off activity. But what is the process made up of?
Well, it can be broken down into the following aspects:
- Testing. The application must undergo rigorous testing both before and after deployment.
- Audits. Regular auditing ensures that the processes and guidelines you’ve introduced are actually being followed.
- Standard-based development. It is always a good idea to learn from the mistakes and experience of others, and following industry standards is a great way of doing that.
- Introducing processes to enforce the above. There are management frameworks that you can use without reinventing the wheel – one solid proposal is OWASP’s S-SDLC (or Secure Software Development Lifecycle), a variant of the classic SDLC with a stronger focus on security. There are also S-SDLC variants distributed by other companies, such as Microsoft.
We can’t stress enough how important it is to continuously monitor any errors that occur in your application. There are many tools on the market to do this, but we’ve particularly enjoyed in our work is Rollbar, touted by its creators as a ‘post-deploy safety net’.
Essentially, the app offers everything developers need to find and fix production errors without relying on user reports and logs, including things like a real-time feed and alerts, intelligent error grouping, stack traces, telemetry, as well as a custom language for browsing the data collected by Rollbar – the Rollbar Query Language (RQL).
However, monitoring is far from being the whole story. You also have to make sure to actually fix the errors you detect and implement processes to ensure that the same vulnerabilities will not happen again. A good way of doing this is introducing a rigorous testing methodology – including mandatory unit and regression tests – in order to provide a “safety net” for your application.
Updates – which includes updates of third-party libraries that you use in your app – are an integral part of the maintenance stage. However, they may also introduce additional security risks, which means that new versions of the components you get from the outside must always be checked for flaws.
Moreover, adding new features at the maintenance stage often means using a new API or library – you should have a mechanism in place that will allow you to verify whether any given technology won’t compromise your security profile.
Thankfully, the update part of this can be automated using third-party tools, such as Dependabot or Renovate – but your development partner has to be aware of these requirements to even consider implementing them.
Finally, as your application grows, you might need to change hosting providers or expand your infrastructure by using a new provider or service. It is critical that this process is conducted in a well-thought out, planned, and conscientious manner so as not to introduce any weaknesses which may compromise your application’s security.
How good software and web development companies ensure app security
Given all the complexity of the subject of app security, how do good software development take care of it? There is a number of practices and processes that they follow to ensure that their clients’ software remains safe.
- One is following the S-SDLC – this ensures that security is a part of the overall development flow and that it is treated with equal importance to other tasks, such as adding new features.
- Then there is exposing developers to accounts of actual breaches. This makes the team consider the losses and risks in real terms rather than abstract issues that can only happen to someone else.
- Good software development companies also make sure that they have a culture of knowledge-sharing.
- Finally, a solid app development company follows the newest technology (both in security and in general), knows how to adapt it to its clients’ needs, and continuously trains its staff with regards to operational and technological security.
- As a final point, a good software development company should be expected to practice what it preaches – so have company-wide security processes in place to prevent breaches of their own data, which could make its clients vulnerable by proxy.
Do web apps have a different threat model than other technologies?
You may be wondering if the same threat model applies to web applications as to mobile or desktop ones. The answer is nuanced – while technological safety is tech agnostic and the general rules are the same for all platforms, all technologies have their unique vulnerabilities.
The converse is also true – there are also technology-specific ways to secure applications. But, in general, these are only a part of the picture and shouldn’t be singled out.
The conclusion here is that there is no silver bullet – you have to combine technical expertise in all the different technologies used in a particular app with a solid foundation of security-oriented processes and a security-first culture.
Overall, a good software or web development company needs to have specialists in all the specific technologies and an overall security-minded approach to building applications. This is true for all platforms – web, mobile, desktop, IoT, and anything else you can think of.
Good security practices in web development companies
There are many approaches to ensuring security in web development, but we can unreservedly recommend the four compiled by OWASP.
They are useful both as a reference for your own security team and something to check your potential web development company against – the industry at large is in agreement that the following practices are the best you can do. It’s important to note that all of them were developed by OWASP (Open Web Application Security Project), an independent organization recognized for championing security in development.
- OWASP Top 10. This is a periodically released list of best practices to follow when building a web application. Since it is only made up of 10 points, it is very easy to parse and understand, making it a good start to introducing a serious approach to security in your organization.
- OWASP ASVS (Application Security Verification Standard). This is an extremely thorough template which enables you to build a custom checklist of security practices that should be followed within your organization or project.
- OWASP OTG (OWASP Testing Guide). This is a comprehensive book covering the subject of ensuring security by testing. It is especially worth recommending because it was written with a broad audience in mind – it will be equally useful to developers, testers, security engineers, and project managers.
- OWASP Proactive Controls. This is a list of security techniques that should be included in every software development project, ordered from most to least important. Since the list itself is fairly short, we’re adding it directly to this article to give you an overview:
- Define Security Requirements
- Leverage Security Frameworks and Libraries
- Secure Database Access
- Encode and Escape Data
- Validate All Inputs
- Implement Digital Identity
- Enforce Access Controls
- Protect Data Everywhere
- Implement Security Logging and Monitoring
- Handle All Errors and Exceptions
As you can see, the general rule is to follow and implement OWASP’s recommendations – this community has shown over time that they are the unquestioned industry leader in security research. They also run the best collection of security requirements and best practices available.
The price of insecurity: famous data leaks
We’ve said here before that not caring about security can carry a heavy cost, but this can be hard to visualize without concrete examples. Well, unfortunately there are many famous ones – let’s look at three that we believe illustrate this point well.
Yahoo: 500 million users exposed
In 2014, Yahoo fell victim to a nation-state sponsored attack that left sensitive data to 500 million of the platform’s users exposed. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," said Bob Lord, chief information security officer at Yahoo.
This was not only a security nightmare, but also a huge breach of the users’ trust and a major hit to the reputation of the already ailing company. Yahoo, once a web pioneer, is now a wounded giant rapidly losing value and market share – in part because of the company’s failure to maintain consumer trust.
Marriott hotels: 500 million users exposed
Marriott, an international hotel chain, suffered a security breach in 2018 which caused the company to give attackers access to information like payment details, names, mailing addresses, phone numbers, email addresses and passport numbers.
Not only did the company suffer a loss of trust – an obvious result when it comes to such sensitive data as credit card or passport details – but is also now faced with a class-action lawsuit and public outcry because of the long time it took to inform the world about the issue.
Ebay: all users’ passwords compromised
Ebay, one of the world’s biggest P2P sales platforms, suffered a huge breach in 2014 because of leaked employee credentials. As a result of the leak, attackers were able to access all of the company’s customers login information and payment details.
It also took the company more than a month to identify and disclose the vulnerability, further undermining the company’s already sketchy reputation, which has long been marred by dodgy listings and other scams perpetrated on the platform.
The aim of this article was to give you a solid overview of why application security is so important and how you can ensure that the best practices are followed in your development project. We hope we did that, but let’s quickly recap the main points before you leave.
- Ensuring security is not just a technical issue – it can also severely impact your business through legal exposure, reputational risk, and issues with certification bodies.
- Security is not a one-off thing – making your application secure is an ongoing process that never ends. You can never make something 100-percent secure – security is always about managing and mitigating risks.
- The security landscape is always changing. It is of paramount importance to keep yourself and your developers abreast of all developments in the world of security through training and a security-first culture.
- Good developers are one thing, but it is even more important to put in place processes that ensure that security practices are always followed.
- It is vital that you follow the SDLC (Software Development Lifecycle) or, even better, its security-conscious version – the Secure SDLC (S-SDLC). Following a process ensures that important details won’t slip through the cracks.
- Finally, no application is ever 100% secure. Development teams or software development companies should always concentrate on minimizing risks by following the highest security standards.
We hope that we’ve helped you understand the importance of security and how it should be practiced in software development.