Whether you’re developing native mobile apps or traditional web applications for the everyday consumer or use in the enterprise, there are development and deployment standards that need to be adhered to if you want to guarantee a secure and high availability environment for users. App security and availability are basic guarantees that when compromised, can significantly harm user trust, earning potential and business reputation. Cyber-attacks have grown more complex and more powerful as hackers get smarter and with greater access to technologies capable of taking down some of the largest and well-known corporations online. There has never been a more challenging time for developers.
There is no perfect formula yet for completely eradicating online threats, however, protection and development techniques have largely improved; some with the ability to evolve in real-time with the industry. Here are some key pointers for securing your applications and improving availability for your users.
Minimize & Place Strict Rules On User Input:
Almost any input that can be made from a user’s device from within your app has potential for exploitation. While many apps thrive on user input such as text messages, audio, images and other types of media since they tie closely with the purpose of many apps; stringent limitations should be placed on what can be uploaded to networks and shared with other users. The more media you allow users to upload, the greater the responsibility you’ll have for protecting and securing that data.
In addition, while developers can set limitations on uploaded content, an awareness of social engineering and the fact that many users are essentially victims of deception; should be part of the approach for best security practices.
Limit Processing To The Servers:
One vital app security design approach is to ensure that the code on the client side (the phone app or browser app itself) does very minimal processing. Actually, this is something that many developers think about as an after-thought when apps are already completed. This is the wrong approach and lays a shaky foundation for the inclusion of vulnerabilities. There are many things on users’ phones that the developer has no control over. It’s especially important to keep the heavy lifting in the backend where control over what is sent and received by the application is maintained.
All data integration with other services should be executed on the backend and not on the mobile device. For example, exposed ads in applications could have malicious code embedded. Backend integration ensures that anything coming from outside the app will not have access to any system resources. Of course, all effort should be made to maintain a secure backend and API environment, with prudent session management and stringent access controls.
Don’t Get Complacent With Writing Your Own Security Controls:
Sure, you may be your biggest critic but it’s never a good idea to rely solely on your expertise or ability to proofread and validate the work you’ve done. The average developer, though usually knowledgeable of general security techniques, does not study or is in the security practice 24/7 and will therefore not have the necessary competences and experience for maximizing security. This is especially important for enterprises serving millions of clients as the risk here is often greater as we’ve seen with the Home Depot breach and others. It’s better to seek input and assistance from the community or professional software security analysis providers which will offer tried, tested and regularly updated codes and plugins.
Maintaining Availability During Attacks & Other Downtime Events:
While many developers are excited by the prospect of simply launching an app and taking it to market as quickly as possible, there a few things to consider to ensure an engaging and positive experience for users and becoming a top performer in the market. In addition to the services apps provides, developers need to be able to guarantee availability and prepare for the unexpected; not just for security, but also delivery speeds and load distribution as popularity and demand increases. Thankfully, with the rise of security-as-a-service (SECaaS) providers, even developers on lower budgets can employ services once reserved for cash rich enterprises.
These SECaaS providers eliminate the high cost of owning powerful enterprise-grade equipment for individual developers and businesses by bundling and offering services that cover acceleration through globally distributed content delivery networks (CDNs), powerful web application firewalls (WAFs) to mitigate intrusion and failover and load balancing services for when traffic hits new highs.
While massive attacks on apps are few and far in between, developers will more often experience outages due to application and network errors that render servers and therefore applications unavailable. A SECaaS provider can ensure that traffic is always routed to an available server or, in the case of complete network outages, rapidly have backup machines up and running while issues are sorted out.
Vulnerabilities In Using Encryption:
While it has been recently revealed that the SSL v3.0 encryption protocol has some serious vulnerabilities, SSL and its latter versions still remain somewhat viable options for securing data in transit and storage – SSL encryption usage is mandatory. However, there exist some limitations. SSL does well when encrypting connections for web applications made for the browser but not as effective in protecting apps that automatically reconnect to available open networks, such as rogue devices that operate as SSL proxies. To fix this, place limitations on automatic connections on operations such as data synchronization, file transfers and automatic updates.
Promote Consistency & Standardization Among Development Teams:
Consistent usage of code, frameworks and methodologies are vital whether you’re a solo developer or part of a team. A consistent structure not only ensures that code is easily read and accessed whenever there needs to be upgrades and amendments but also makes mitigating and responding to threats and errors a seamless and predictable experience. While different developers on teams will have varied approaches, preferences and styles, a viable compromise should be agreed upon by all to maintain harmony within the code. This prevents the occurrence of loopholes and vulnerabilities due to inconsistent or maligned code.
Know Your Enemy:
As a developer, security will always be part of your team’s responsibilities; it’s a full-time task and threats wait for no one. Keeping track of industry projects like the Open Web Application Security Project (OWASP) is a good idea for considering industry trends to assess and prepare for vulnerabilities in your apps. Threats continuously evolve, especially as access to technology and information increases. A security measure or fix you implement today may be obsolete tomorrow. Building apps for fun or business is great but there needs to also be a realistic budget and provision for worst case scenarios with established workflows in threat or downtime events that require immediate response from your team.
These guidelines are valuable for laying a secure foundation for applications ready to serve millions of users. However, bear in mind that attacks evolve on a daily basis and it’s ok to be overprotective of app and your users’ assets since there’s so much at stake. Plan adequately, encourage your teams to work in harmony and always strive to be in the know.