If you are an entrepreneur or you want to build a digital product, you’re probably looking to expand your knowledge about security practices in application development.
This guide is a comprehensive overview of the key areas of security as it pertains to app development, with an emphasis on web development services. We will present how a good software development company should help you in providing the security of your product.
Authors: Łukasz Głuszek (Senior Frontend Developer), Maciej Markiewicz (Security Practice Expert & Team Leader)
Tech reviewer: Michał Remisz (QA)
Let’s first consider the question why security is important and have a look at the most popular misconceptions related to app security.
There are three main reasons why you should make security your top priority.
The first one is that solid security practices keep your data safe. But why is this such a big deal, in concrete terms?
One factor to consider are the penalties that your business may incur if a data leak occurs, causing a legal infraction or non-compliance with an industry certification.
Think about all the legislation surrounding data handling, such as the GDPR (General Data Protection Regulation) in the European Union, HIPAA (Health Insurance Portability and Accountability Act) in the US, and PCI DSS (Payment Card Industry Data Security Standard) globally. Falling out of line with any of those can cost you a lot – and not just in terms of money.
Besides potential penalties imposed by a government or a certification body (along with the inevitable legal costs that your business will have to cover to go through the proceedings), there are also other painful consequences to not ensuring app security. One is that you may simply lose access to it, setting back your business.
Another is that malicious actors, your competitors, or any combination of these, will get their hands on proprietary information and use it against you, blackmail you, or simply get ahead thanks to it.
Then there is reputational damage. You probably wouldn’t trust a company or an app that’s well-known for its security failings – and neither would most people. Modern consumers care deeply about the safety of their personal information and they will definitely not be interested in doing business with someone who they can’t trust with it.
Finally, there’s another practical benefit to staying secure: Google rankings. If your company or app doesn’t show up on the first page of the search results, very few people will find it. As it happens, Google rankings dock you points for not following best safety practices (namely not using TLS/SSL, which are used to encrypt traffic and cryptographically prove that your website belongs to you).
To put it simply: not following security practices can be extremely costly, but adhering to them has real, tangible benefits besides risk mitigation.
Security is never absolute – think of it more like an arms race or ongoing market competition. The good guys keep on improving application security, but the bad guys keep finding new vulnerabilities and building new tools to exploit them. They also never stop using the old techniques and applying them in different combinations, making application security that much more difficult.
This means that there is no such thing as a be-all and end-all security solution. Everything that security specialists do is about reducing risks, but there is never a one hundred percent guarantee that no one will get through your defences.
This brings us right to security misconceptions. We already alluded to the first one in the previous paragraph, but it bears repeating: no application is one hundred percent secure at any moment. The best you can say is that it follows best practices and standards. There are no definite assurances, only reasonable confidence.
Security is not just about things like setting difficult password requirements. There is an infinite number of possible attacks, as well as a huge number of security requirements. These are related to numerous areas: from authentication and authorization through database security to things like physical security (for example, making sure that the physical servers your application lives on cannot be easily accessed by an intruder).
Another thing to remember is that no application is safe from harm. The fact that an app is not popular, or that it doesn’t have an eye-catching design, or that it doesn’t process sensitive data, or that it hasn’t been updated in years doesn’t mean that someone won’t try to get in anyway.
Think about this: breaking into a smaller app can also be a large pain for the end user, for example if they use the same password for the hacked unpopular app and a different, more sensitive service. As a result, catching the small fish directly enables the hacker to go for the big one.
If you’re worried about something like that happening to you, consider visiting haveibeenpwned.com – a service that contains a continuously updated list of breaches and allows you to verify whether your email and password were leaked from a website you use.
The way to go about ensuring application security is far from obvious.
There are many security guidelines available (more about these later) and it definitely is a good idea to follow them, but they are useless if you do not introduce the right processes in your organization. You have to monitor your application’s security at every stage, from development to sunsetting.
Also remember that guidelines are not a silver bullet. Having a guideline is one thing; making sure that every attack vector is considered and secured is another.
There’s also the fact that the number of potential threats is always increasing – new vulnerabilities crop up as technology progresses, so you can’t really just “do” security once and be done with it. It really does have to be an ongoing, integral part of your application development lifecycle.
It is important to educate customers – whether internal or external – about the value of increasing security.
Making sure that people understand the risks involved and the things they can do to increase security (things like two-factor authentication, not reusing passwords, and being vigilant about phishing attacks) is a good step towards ensuring a security culture in your organization.
Software development companies have to make security a priority. This means that it’s about more than just declarations: software engineers not only have to be vaguely aware of the question of security, but also continuously trained in modern practices and technologies. It’s also necessary to make sure that the company has processes in place to enforce and audit security – otherwise all the effort is wasted.
Hopefully, we have made it clear that security ought to be an integral part of the application software development process. But how specifically will a good web development company ensure that your product is secure? We have a short list of things you should watch out for.
As we’ve said multiple times over the course of this article, maintaining security is a process, not a one-off activity. But what is the process made up of?
Well, it can be broken down into the following aspects:
We can’t stress enough how important it is to continuously monitor any errors that occur in your application. There are many tools on the market to do this, but we’ve particularly enjoyed in our work is Rollbar, touted by its creators as a ‘post-deploy safety net’.
Essentially, the app offers everything developers need to find and fix production errors without relying on user reports and logs, including things like a real-time feed and alerts, intelligent error grouping, stack traces, telemetry, as well as a custom language for browsing the data collected by Rollbar – the Rollbar Query Language (RQL).
However, monitoring is far from being the whole story. You also have to make sure to actually fix the errors you detect and implement processes to ensure that the same vulnerabilities will not happen again. A good way of doing this is introducing a rigorous testing methodology – including mandatory unit and regression tests – in order to provide a “safety net” for your application.
Updates – which includes updates of third-party libraries that you use in your app – are an integral part of the maintenance stage. However, they may also introduce additional security risks, which means that new versions of the components you get from the outside must always be checked for flaws.
Moreover, adding new features at the maintenance stage often means using a new API or library – you should have a mechanism in place that will allow you to verify whether any given technology won’t compromise your security profile.
Thankfully, the update part of this can be automated using third-party tools, such as Dependabot or Renovate – but your development partner has to be aware of these requirements to even consider implementing them.
Finally, as your application grows, you might need to change hosting providers or expand your infrastructure by using a new provider or service. It is critical that this process is conducted in a well-thought out, planned, and conscientious manner so as not to introduce any weaknesses which may compromise your application’s security.
Given all the complexity of the subject of app security, how do good software development take care of it? There is a number of practices and processes that they follow to ensure that their clients’ software remains safe.
You may be wondering if the same threat model applies to web applications as to mobile or desktop ones. The answer is nuanced – while technological safety is tech agnostic and the general rules are the same for all platforms, all technologies have their unique vulnerabilities.
The converse is also true – there are also technology-specific ways to secure applications. But, in general, these are only a part of the picture and shouldn’t be singled out.
The conclusion here is that there is no silver bullet – you have to combine technical expertise in all the different technologies used in a particular app with a solid foundation of security-oriented processes and a security-first culture.
Overall, a good software or web development company needs to have specialists in all the specific technologies and an overall security-minded approach to building applications. This is true for all platforms – web, mobile, desktop, IoT, and anything else you can think of.
There are many approaches to ensuring security in web development, but we can unreservedly recommend the four compiled by OWASP.
They are useful both as a reference for your own security team and something to check your potential web development company against – the industry at large is in agreement that the following practices are the best you can do. It’s important to note that all of them were developed by OWASP (Open Web Application Security Project), an independent organization recognized for championing security in development.
As you can see, the general rule is to follow and implement OWASP’s recommendations – this community has shown over time that they are the unquestioned industry leader in security research. They also run the best collection of security requirements and best practices available.
We’ve said here before that not caring about security can carry a heavy cost, but this can be hard to visualize without concrete examples. Well, unfortunately there are many famous ones – let’s look at three that we believe illustrate this point well.
In 2014, Yahoo fell victim to a nation-state sponsored attack that left sensitive data to 500 million of the platform’s users exposed. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," said Bob Lord, chief information security officer at Yahoo.
This was not only a security nightmare, but also a huge breach of the users’ trust and a major hit to the reputation of the already ailing company. Yahoo, once a web pioneer, is now a wounded giant rapidly losing value and market share – in part because of the company’s failure to maintain consumer trust.
Marriott, an international hotel chain, suffered a security breach in 2018 which caused the company to give attackers access to information like payment details, names, mailing addresses, phone numbers, email addresses and passport numbers.
Not only did the company suffer a loss of trust – an obvious result when it comes to such sensitive data as credit card or passport details – but is also now faced with a class-action lawsuit and public outcry because of the long time it took to inform the world about the issue.
Ebay, one of the world’s biggest P2P sales platforms, suffered a huge breach in 2014 because of leaked employee credentials. As a result of the leak, attackers were able to access all of the company’s customers login information and payment details.
It also took the company more than a month to identify and disclose the vulnerability, further undermining the company’s already sketchy reputation, which has long been marred by dodgy listings and other scams perpetrated on the platform.
The aim of this article was to give you a solid overview of why application security is so important and how you can ensure that the best practices are followed in your development project. We hope we did that, but let’s quickly recap the main points before you leave.
We hope that we’ve helped you understand the importance of security and how it should be practiced in software development.