In a world where increasingly serious tasks and transactions are made online, internet security is becoming more important. Financial details, personal and sensitive information, confidential data, EHR records – all this is now circulating the web, and especially since the services became interconnected with APIs, much more is at stake. In this article, we’ll look at the internet safety rules from the developer’s perspective, and discuss where the line between the user’s and the developer’s responsibilities lies.
Online security: a priority for users and businesses
In 2022, the total damage from cyberattacks reached $6 trillion – about the same amount as COVID cost the U.S. in 2021. If the latter figure made many a head spin, the former should, as well. Even by the comparatively optimistic estimates from the University of Maryland, there’s a cyberattack happening every 39 seconds or so, meaning two have already happened since you started reading this article.
For an insecure PC hooked to the Web, though, the figures look even more sinister, with 2,000 attacks per day on average. These attacks assume very different forms, exploiting all sorts of vulnerabilities, from the human factor (phishing) to input fields through which the hacker can inject code snippets.
Some of these vulnerabilities require the work of coders and QA engineers setting up the system, while some can also be minimized by the users themselves. Where is the dividing line, though?
Distributing the responsibility
Overall, there are three major players in internet security (except for the hacker, that is):
- The user
- The development team
- The business that commissioned the application or service
Starting with the latter, the role of business is to prioritize security when planning the web application in the first place, selecting the web development services provider, and working on the project. By now, this understanding has grown much, with the worldwide information security market predicted to reach $366.1 billion by 2028. It is worth remembering, though, that the ability to prioritize safety stems from the general corporate culture, and succumbing to “cyber fatigue” is a common pitfall observed in 42% of companies, according to Cisco.
The development teams, on the other hand, bear the responsibility of being aware of possible vulnerabilities in the code they deliver – and reminding the client they need to address them, too, in addition to the purely functional requirements. After all, it is only the professional coders and QA specialists that understand how things like IDOR or XSS work, and how to prevent any detrimental effect.
All that does not leave the user completely safe, though, unless they are aware of the simple rules of internet safety. In the current era, when many code-level threats are addressed properly by developers and DevOps, the human factor is becoming prominent. For example, phishing, which relies primarily on the user’s lack of awareness, is now the essence of 37% of total attacks suffered by businesses (and >90% of the successful ones). That means anyone going online is expected to:
- Use strong passwords, 8+ characters, upper- and lowercase letters and special characters.
- Know the difference between http:// and https:// at least in cases involving money transfers.
- Update the software they use properly.
- Use two-factor authentication when dealing with certain essential services.
- Understand how phishing and social engineering work.
With that out of the way, let’s now look at what the rules for internet safety are from the developer’s perspective – and that of their client.
How to ensure internet security in your application
If there’s a list of 5 or 10 internet security rules for the user, there must be one for the ones creating the web service. Of course, if it was to address all the technological details, it would count all the way down to 500 and further on – cybersecurity is something professionals dedicate their entire life to, what with new types of threats emerging every now and then.
However, there are five general rules that hold true from the organizational point of view, no matter what vulnerabilities there may be.
#1 Assess the risks
The nature of the web application, site, or service being created defines much of the risks that need to be mitigated. If there are going to be free input forms, for example, the problem of code injections (such as SQL injections) will need to be addressed. Some applications will suffer more from cross-site scripting (XSS) or broken authentication issues. It pays off to determine the specific vulnerabilities that are most likely to be there, while not forgetting about the other possible scenarios.
#2 Implement best practices in cybersecurity
Arguably the most profound idea behind security is that it needs to be addressed at all the stages of SDLC (software development lifecycle), from planning to launch and beyond. This is why, for example, SecDevOps is gaining popularity as an approach that combines development, operations, and security into a single continuous loop. Other approaches and best practices include things like red team / blue team methods, where the “red team” tries to “break” the application, and is countered by the “blue team” – simulating an attack before the software goes live.
#3 Monitor and audit continuously
Protecting a software system from attacks is harder than keeping foxes away from a chicken hut mainly because foxes do not evolve at the same speed as cyberattacks do. As new types of threats appear (and the old ones are perfected), it is a good idea to keep track of security continuously: a good old fence won’t do. Neither will a firewall (WAF), for example. Thankfully, there are possibilities to automate monitoring and integrate vulnerability scanners into the ecosystem.
#4 Train the staff
This includes both the staff that is involved in creating or maintaining the software, and the staff that will be using it. For example, things like CRM, ERP, or EHR systems come with trainings that instruct the users, among other things, to follow the basic security rules.
At the same time, an in-house team working on the software is also to be trained to handle common vulnerabilities, know where potential weak places may be, distinguish between threats, and so on. Of course, this same applies to any outstaffed team, so when hiring one, it is important to make sure they are encouraged to keep their skills up to date.
#5 Ensure regulations and guidelines compliance
Part of what makes cybersecurity hard is that you are like a goalkeeper playing football with a team of ghosts and an invisible ball: there are countless directions from which the ball may come flying, and you have to be able to monitor all of them. To help with keeping track of the game, there exist a number of guidelines, such as the Open Web Application Security Project (OWASP) that specifically list the potential threats that need to be addressed. Additionally, being aware of formalized regulations like ISO 27032 and many others, some of them industry-specific, is an important step.
Creating a safe web-based experience is a complex achievement requiring attention from both the user and the developer. When initiating any software project that involves being online (and in 2022, that is practically any software), you may want to ensure your development team does know the ins and outs. Building such a team may be difficult when you are bound to the geographically limited resources in your area, so outstaffing it is a good option. You can learn more about what MWDN does for web security by contacting us.