Security Standards at Netguru — How we Take Care of our Client’s Product Security
People are digitizing huge amounts of information relating to their personal and professional lives. This data is the life’s blood for the entire IT industry.
Since it originates from users and clients from diverse organizations, it is imperative for businesses to protect their sources of that data, and to gain the trust of consumers.
How cybersecurity best practices at Netguru ensure digital product security and user privacy – explains Maciej Markiewicz, Cybersecurity Lead at Netguru.
Why cybersecurity is so vitally important
Hacking, phishing, malware distribution, and other forms of cyber-attack can have devastating consequences. We are all aware to some extent of the statistics — a single minute of network downtime can cost hundreds of thousands or even millions of dollars.
Beyond this, the damage to your organization and brand reputation may be permanent and can result in business-critical losses in revenue. Your status with regard to industry standards or regulatory compliance could also land you in court.
To avoid these issues, a strong stance on cybersecurity is critically important. It affects the way you identify and authenticate users and devices on your systems, the software you use, and the way you manage information and processes throughout your organization.
Learning from the past mistakes of others
At the global scale, several high-profile security lapses have come to light in recent months. Some involve major household brand names and have affected huge numbers of their consumers. It’s only natural to balk at the audacity of the perpetrators, and/or the negligence of the brands concerned.
However, there are serious lessons to be learned from such incidents, that concern data governance and security best practices.
Among the best practices are:
Testing software before and after distribution
In April 2021, ZDNet reported on the discovery of a zero-day vulnerability in the popular video conferencing app, Zoom. The flaw is capable of triggering a remote code execution (RCE) on a targeted machine, without any form of user interaction. This attack was confirmed to work on both the Mac and Windows versions of Zoom. It had no effect on the browser version of Zoom.
Its very existence speaks to the need for intensive and comprehensive testing of software, before and after it reaches its final destination.
Verifying the integrity of the software supply chain
In December 2020, Reuters reported that hackers had infiltrated the systems of SolarWinds, a major US technology firm. The hackers inserted malicious code into their Orion software that was subsequently distributed to the company’s clients via updates and patches. This code opened a back door to client systems, enabling the hackers to introduce more malware.
The hack may have affected 33,000 consumers who use the infected Orion platform, including high-level departments of the US government.
Stringent code verification is the first step to reducing the risk of such widespread distribution.
Safeguarding client/user information
In July 2021, Forbes reported that LinkedIn suffered a security breach affecting 700 million of its users. According to LinkedIn, information was scraped from the platform and other online sources, including inferred salaries, phone numbers, street addresses, and geolocation data.
The company describes information scraping as a violation of its Terms of Service.
Netguru’s cybersecurity principles
In the digital economy, data is fuel for business growth. This information largely comes from consumers, who have a right to privacy and would like to believe that their privacy is respected and protected by the service providers and data handlers that they deal with.
In fact, it is this very trust that is the basis for obtaining the consumer data in the first place.
Companies and organizations should therefore protect their data and the data of their clients in order to be able to operate and develop in a conducive atmosphere.
To this end, the Cybersecurity team at Netguru operates in accordance with certain core principles.
The core principles are:
Since the privacy of our employees and clients is crucial to us, we take steps to safeguard it by developing security based on global standards, and in accordance with prevailing privacy regulations such as GDPR.
Our first point of reference is the International Standards Organization’s ISO 27001, which defines the principles for building an information security management system (ISMS).
We have a set of policies as part of our ISMS which are designed to provide the best level of privacy and information security — both for our clients, and our employees. This policy set is proven by the ISO 27001 certificate.
Since 2018, Netguru has been implementing ISMSs, based on ISO 27001. This is a programmatic structure that selects customized security controls catered to the risk of a specific organization.
The ISMS is a set of policies, procedures, and instructions designed to address risks for the organization and build security, based on international standards and best practices. In terms of business processes, the ISMS defines aspects of information security at an operational level.
We are currently working on our next certification — ISO 27701. This is dedicated to the development of a Privacy Information Management System.
A risk-based approach to management
From both the business and technical perspectives, we build our projects and processes based on risk management.
The use of relevant data and the experience of our experts helps us to analyze and define risk at each level of the product.
With this approach, it is crucial that both the team and the clients are aware of the risks involved — and their possible impact on the business.
We work with clients to build this awareness, together with possible solutions to ensure digital product security. In this way, the client can actively manage risk, and on this basis prioritize tasks for the team with ongoing help from experienced Project/Product Managers and Cybersecurity Experts.
Netguru’s cybersecurity best practices
In line with current trends in application security, Netguru focuses on advocating security testing early in development and implementing automated remediation techniques to secure applications against external attacks.
Among our cybersecurity best practices are:
1. The secure software development life cycle (S-SDLC)
Netguru approaches each project individually, using general baselines for the Software Development Life Cycle (SDLC). Based on the project requirements, we build project teams tailored to each client’s needs.
Software development is based on a standardized process, which is customized to the individual project scope, complexity, business risks, and industry.
Our software development processes are based on best practices recommended by the Open Web Application Security Project (OWASP).
The SDLC is expanded with the OWASP Security baseline, which includes basic security techniques and recommendations prepared for each project by our Cybersecurity team.
Some projects require an extended approach to security. For these cases, we offer an extended set of cybersecurity services, like the Advanced Project Security Strategy.
2. Baseline security
We provide security training for project teams, with courses, webinars, and practical exercises.
The Netguru Cybersecurity team is in constant contact with development teams to provide them with support in solving security problems — both from a conceptual standpoint and in implementation.
We use an internal community to share knowledge, bringing together people from various areas such as QA, Devs, and DevOps.
This community approach helps us to define internal standards and recommendations and to share new knowledge regarding security challenges.
In addition, we define and standardize stacks of tools supporting project teams for specific tasks, and automate some of the work for improvising the security of our products.
3. Consulting and advanced product security strategies
We analyze product and business needs to identify threats and risks for the client. On the basis of this analysis, we can advise clients on preparing the technical recommendations about project security — starting from product design through to completion.
Risk analysis and threat modeling combined with the product and its requirements allow us to prepare a product security strategy tailored to our client's needs.
By considering security as early as possible in the software development process and taking this risk-based approach, we give clients the freedom to decide on the scope and direction of the development of their products, based on individual preferences. This also enables our clients to implement security more effectively, but at a lower cost.
In this service, the client has a dedicated Security Engineer/Consultant assigned to their project, who helps to analyze security on a daily basis.
The Consultant also prepares recommendations that are adjusted to the project requirements in an agile manner to help the project team to harden configurations, development cycles, and the product as a whole.
4. Testing and auditing
As software requires constant and ongoing verification of its current security level, our clients interested in cybersecurity services can receive:
- Security audits. We offer audits that verify security levels with reference to some guidelines and/or regulations like OWASP, CIS, and more.
- Security assessments based on manual and automated analyses of code and configuration (also cloud configuration).
- Penetration tests that simulate real-life attacks on IT systems.
How we work on the security of products for our clients
We use several elements when designing and building a security strategy for our customers and their products. They allow us to adapt the strategies to the project requirements, and combine the best standards with agile software development.
These elements include:
Depending on the project requirements and its particular stage of development, we use a variety of tools, including vulnerability scanners, static vulnerability analysis tools (SAST), dependency analyzers, and containers analysis.
The scope of the project, the client’s available technology stack, and the project requirements will determine the final setup of security tools.
We use various techniques and methodologies to provide the most optimal adaptation to our client’s needs, product scope, industry, and risk. These may include:
- Risk assessment
- Threat modeling
- Audits, Assessments, and Penetration Testing (Pentesting)
All the methods mentioned are based on international standards and the best security practices, such as OWASP, NIST, and CIS.
The Netguru Cybersecurity team consists of two separate units:
- Information Security. This unit of Information Security Analysts is responsible for internal operational security, compliance requirements, Information Security Management Systems, and GDPR.
- CyberSec. This unit of Security Engineers has various specializations dedicated to supporting project teams, development processes, and commercial services.
The team consists of Information Security Analysts as well as Security Engineers with various skills/specialties, including:
- Application Security Engineers.
- DevSecOps Specialists.
- Cloud Security Engineers.
Netguru engineers are experienced subject matter experts in cybersecurity. They have vast experience in both red team (audits, pentests) and blue team (designing, engineering hardening).
To give you some context to these industry terms: blue team experts are responsible for performing analyses of information systems to ensure security, identify security breaches, and make sure all security measures will be effective in the future after the implementation.
Red teams, in turn, play the role of an “enemy” by “breaking into” the system, simulating real-life attacks, and providing security feedback later.
The Netguru Cybersecurity Team also has a deep knowledge not only about security but also about software development and cloud engineering. They are fluent in implementing best practices and standards, including PCI-DSS, OWASP, CIS, ISO.
In this information age, proprietary data and sensitive customer information are coveted and targeted by criminals. A successful modern company needs agile, smart protection to monitor and detect a range of persistent risks. Finding the right cybersecurity provider will let you stay agile without compromising safety.