See all articles

The 3 key security aspects in the process of software development

Paweł Dąbrowski

In a world where criminality is slowly moving to the sphere of digital activity, cybersecurity is more important than ever. Data breaches can lead to costly consequences, particularly if you allow third parties to access the sensitive information of your users. So how can you protect your business from security threats, both internal and external ones? At iRonin.IT, we recommend focusing on the three major 3 areas of software development security.

How to make your software development process secure

Data breaches are dangerous in multiple ways. They can end in lawsuits, damage your brand, alienate your users, empower your competitors to get ahead of you, or lead to cyber attacks against your infrastructure. But don’t panic - there are easy ways that can help you minimize the likelihood of a data breach.

If you choose to use these three rules, they will help you develop better processes and strategies for managing digital projects safely. They are general guidelines rather than specific step-by-step instructions. You’ll have to do the work, such as verifying licenses and choosing the right tools, yourself.

Protect your ideas

The first step you can take to protect your ideas occurs at the very beginning of a software development collaboration. When starting work with an outsourced tech partner, ask them to sign NDAs. You might even want to hand one out to every employe they add to the team. Remember that, though your partner’s intentions are most likely pure, you’re responsible for protecting your intellectual property. No one can do it for you and it’s better to be safe than sorry.

Next, make sure to use secure means of communication with your partner (e.g. encrypted and signed emails, HTTPS-enabled chat solutions, encrypted chats). Project-specific information and communication channels should be available only to the team members who are (or will be) actively working on the project. Read through the contract and, if necessary, renegotiate so that you will own the full right to the codebase and the product. Reserve the copyrights and trademarks related to your branding, making sure that you are allowed to use your branding elements.

Finally, verify the licenses for any 3rd party code used within your app. Sticky licenses can be a real problem, as they can essentially make your product open source - or you might find out that it wasn’t legal to use the 3rd party solutions in the first place. Sometimes, the license will restrict the code from being used in specific countries or markets, or the algorithms will be patented on some markets. It’s the project owner’s responsibility to make sure that all the resources and libraries used, including the open source ones, don’t infringe on 3rd party copyrights.

Protect your codebase

Use your version control system (and VCS servers) as a means of improving code security. They give you the ability to reverse and inspect changes, control who accesses your code and when, and more. Access control is especially important with external teams. Your outsourcing partner should have processes in place to ensure secure access to your documents, specifications and code. Only the project team and their Project Manager should be able to access them.

The code review can also be a wonderful tool for security (it’s a good sign if your team uses code reviews as part of their definition of done, so it’ll never be skipped). This is how it works: team members regularly review the code base as development progresses, making sure it contains no backdoors or malicious code. To do this effectively, your team needs true technical excellence and best programming practices. It’s even better if they’re helped by dedicated Quality Assurance experts with established processes, including CI/CD with automated tests. Just keeping your libraries, frameworks and other external code updated can be a huge step towards improved security. The team should be mindful of the source of each update and verify them thoroughly, as sometimes they contain security breaches.

Protect your product or service

There are several aspects of protecting your app, from making sure it never goes down unexpectedly to keeping good backups. There are several important areas to keep in mind:

Server security

Make sure that your server is set up correctly, both for production and for tests. Check your app for potential code and data leaks. The logfiles of your app or 3rd party solutions should not contain any private or sensitive data. It would be best if your app’s data was isolated from any other applications hosted on your servers.

Set up your server to track instances of potential infringement of private data, alerting you as needed. Put as much effort as necessary into optimal server configuration for better performance and improved security (e.g. DDoS prevention). Make sure that all the components of your server software (and your project, including APIs) are sharing and exposing only required data.

Data privacy

Know where your users’ data is stored and processed, and choose the service carefully. Pay attention to any unverified extensions and solutions - they might need to be removed, or simply vetted as safe. Maintain strict database security, one element of which is storing your data in an encrypted and anonymized or obscured form (UUIDs instead of autoincremented IDs, access/approval hashes to payment solution APIs).

Backup & incident response

Early in the project, invest time and effort into properly configuring your staging and production environments. Maintain a regular update schedule, and use only verified 3rd party extensions or services. Your app should be hosted on a server with SLA (service level agreement), ideally one guaranteeing nearly 100% availability. Finally, introduce a proper backup strategy for your data and codebase - yes, even if you’re hosting everything in the cloud. Regularly maintain your online & offline backups. Establish and use good incident response processes.

People & team composition

And don’t forget about your users. Keep them informed about proper security practices to help them protect their data. You can share personal security tips as part of your privacy policy or onboarding process, for example. Make sure that project information is passed only through specified, secure communication channels to avoid social engineering and social attacks. Use two-factor authentication for accessing the project toolset.

Bringing an experienced SRE or DevOps expert into the team can be a great idea. Such an individual will be able to dedicate much of their focus to your app’s security, and the rest of the team won’t be distracted from building an amazing product.

Staying safe through forward thinking

You might have realized that preparation is one of the most important aspects of keeping your projects and business secure. Don’t wait for a problem to occur. Instead, educate yourself (or ask your tech partner) about what risks you’re likely to face and introduce strategies to mitigate them. While the methods described above may seem like a lot of work, they can save you much additional effort and prevent extra costs by helping you avoid disaster.

Eager to start a secure IT project? Or maybe you need a security audit of your development process?

iRonin.IT has been delivering secure web and mobile applications for over a decade.

Similar articles