There is a hacking attack every 39 seconds on average, about 24,000 malicious mobile applications are blocked every day, and 75 data records are compromised every second. European companies are obliged to ensure the cyber security of applications, websites, systems and corporate networks. The highest fine for failure to adhere to the regulations has been 60 million euro! Yesterday, software development security was an addition to IT projects. Today, this is one of the key factors determining the success of your venture.
In 2020, nearly a quarter of all the companies in the world were victims of cyber attacks. Corporate software security changes dynamically. The success of your digital product depends on whether it meets all the expectations of the end users. According to Eurostat, Internet users express high levels of concern about cyber security, such as personal data security, online payment security, and malware.
The effects of a lack of cyber security in a cloud native firm
Latest technologies such as cloud services are popular among international companies, and offer a wide range of business development opportunities. Applications in the cloud look and work increasingly better and require fewer resources compared to the traditional approach. Data processing is cheaper, faster and much better.
Cloud native has a massive potential which is only fully utilised by those companies that are aware of and are prepared for cyber threats. Which consequences of not having cyber security in the company do you need to prepare for?
According to ENISA, these are the top cyber threats in late 2019-early 2020:
- Malware (malicious software used to steal data or money, and to compromise device functions).
- Web-based Attacks (web systems and services, e.g. fake websites, malicious scripts, used for illegal collection of user data and infecting devices with malware or tracking scripts).
- Phishing (pretending to be a trusted entity to obtain sensitive information such as login data or credit card data).
- Web application attacks (using system flaws, software vulnerabilities, and violation of application or database security. What’s interesting, unauthorised administrator access to software is often caused by human error).
- Spam (unsolicited and illegally sent emails. They often contain malicious urls).
- Denial of service (blocking electronic services by malware or system overload).
- Identity theft (obtaining the personal information of another person in order to use their identity to commit fraud or theft).
- Data breach (the intentional or unintentional release of access to information or data).
- Insider threat (any threats with access to systems and inside information, e.g. about employees or former employees, business partners and customers).
- Botnets (a network of malware-infected computers that can be wholly controlled by a single command and used for other cyber attacks).
Any lack of protection against cyber threats can result in data and money thefts, software damage, as well as losing customer trust and reputation. Cyber threats neglected in the course of software development become the main reason of failure of many businesses.
In Europe, new strict regulations to ensure an appropriate level of personal data security (GDPR) have been implemented recently. The highest fine of 60 million euro for failure to comply with the GDPR obligations associated with the use of cookies was imposed on Google in France. A huge fine of 35.3 million euro was also imposed by the German government on H&M (Hennes & Mauritz) for processing sensitive personal data of their employees in the recruitment processes, including information about their health and family life.
To date, the biggest GDPR non-compliance penalties have been imposed on companies in Italy, Germany, Scandinavia, France and Spain. Software development cyber security has never been so important before. How to provide more effective protection of companies and customers against cyber threats?
More effective software development cyber security
A high level of software development security and ensuring effective cloud application protection are among top priorities at Stepwise. We use the best security technologies and monitor the environment by means of advanced tools, such as Intruder and Tenable. Our specialists carry out regular penetration tests and track code dependencies on a current basis. Security of software development and use is considerably enhanced by encryption mechanisms, real time protection services, and reliable management of the entire infrastructure.
We believe that apart from the above mentioned solutions, a powerful weapon in fighting cyber threats is the increased awareness of our business partners and customers. For this reason, we willingly share our knowledge of existing software threats and effective preventive methods.
The old approach towards software development was based on keeping corporate data and applications on virtual machines. When developers or system administrators wanted to secure data effectively, it was sufficient to install appropriate firewalls. Aside from the fact that it is impossible to connect a static firewall to applications that keep scaling and should be flexible by assumption, this old approach is not sufficient in the case of cloud native.
Cloud services offer a lot of benefits that local data centres lack. Using a cloud considerably reduces the maintenance costs of software infrastructure and IT department employees. Computing capacity scalability allows you to tailor the number of paid instances on a current basis. Despite dispersed virtual machines, you can manage everything in one place. Innovative automation functions raise digital product management to a completely new level.
In response to the new cyber security needs, DevOps was created (in place of old system administrators). At Stepwise we believe that to provide effective protection of applications and data on servers, all the competencies of DevOps, Security Managers and Developers should be combined.
Creating native cloud applications is a perfect business solution with many advantages. You can find out more about them here. Innovative cloud services have facilitated the lives of many companies. At the same time new problems have appeared, e.g. frequent changes of virtual machines, a lack of possibility to use static solutions, and dynamic IP addresses, dependent on the current data location. What should a conscious software house remember to increase software development security?
The key issues of software cyber security
Network security
Network security should concentrate on the implementation of policies, processes and best practices to prevent, control, detect and fight any attempts of breaching the network, data and other corporate resources.
Identity & access management (IAM)
Identity and access management determines which users can access which resources inside a network. UEBA works perfectly in this respect. It predicts user behaviour patterns and then, in real time and using machine learning, creates models of secure access right management.
Data security and data protection
Effective corporate data protection should focus on two directions:
- It is essential to technically secure all databases and information stored on physical and virtual servers. The main activities include appropriate identity and access management, creating backups, encrypting information and using advanced technological cloud solutions.
- The other issue is related to compliance with legal regulations associated with protection of customers and users of digital products. In Europe these conditions are specified in the GDPR, which states for example that the personal data protection policy should be prepared by the company as early as the stage of software development. In the USA, with so-called patchwork legislation, there are several legal acts that concern various states or branches.
Vulnerability management
Vulnerability management is a constant application monitoring and regular scanning of the environment (e.g. containers in Aqua). Vulnerabilities can appear even after completion of a project. It is important to update the version of the application in the event of detecting a threat. The supplier of the affected component (dependency, library or system) should fix the bug. Identification of more sensitive areas of the system, particularly those exposed to cyber attacks, enables fixing vulnerabilities.
Workload security
It is worth collecting and monitoring application performance metrics to know when someone is attacking a system. One characteristic feature of such situations can be the increased number of 401 unauthorised error (logging error). For example, when we notice 6,000 failed login attempts or unusual traffic sources, we can prevent the negative effects and block the traffic from the suspicious source to make cyber attack impossible.
Notifications and alerts
Information about what was changed in the system, when, and by whom, allows identifying the software components particularly exposed to attacks. In the past, logs used to be collected on physical machines, and after attacks hackers could delete them freely. The cloud enables distributed logging of protected devices to easily check and analyse any activity in the system.
A cloud native security strategy
There is no one universal model of cyber security management.
When planning a cloud native cyber security strategy, attention should be paid to such issues as the type of application, business environment, branch, character of the organisation, as well as the type and purpose of the collected data.
The most important thing is to include appropriate preventive measures as early as the software planning and development stage. This is required not only by regulation, but also by common sense and the respect toward users of your digital product.
A lack of sufficient software and data security (especially sensitive data) can harm your company, not just in terms of PR. A software house should always remember about the legal environment of its partner. Various personal data protection regulations and requirements associated with providing network security require an individual approach and solutions compliant with a given business location. For example, in Europe, the GDPRs are extremely strict, and neglecting them can cost up to 4% of your annual income.
As part of an effective cloud native cyber security strategy, the optimal solution to ensure greater security of your cloud services is by preparing a risk management framework that contains a list of all potential software threats and factors that make the application particularly exposing the application to attacks (so-called attack vectors). In order to prepare a cloud native security framework, cyber threat management should be treated as a process. After drawing up a response scheme in the event of threats, it is necessary to regularly monitor the level of security and to respond if worrying symptoms occur. After overcoming a crisis, the team of IT specialists would go back to the beginning of the process and monitor the situation systematically.
Some example vectors of attacks on a cloud native application:
- vulnerabilities in the application code,
- a wrongly configured container image (e.g. “root”, i.e. administrator),
- an attack on a computer on which an image is being prepared,
- a supply chain attack (e.g. external software components with vulnerabilities installed),
- inadequately secured employee computers,
- unintentional disclosure of sensitive data (tokens, passwords, authentication data),
- unsecured networks,
- vulnerabilities in the firewall of the container environment (wrong engine configuration for CRI-O containers),
- source code is stored in an unsecured repository (without access control).
Cyber threat management framework
How should we prepare appropriate cyber threat management procedures? At Stepwise we use a very practical approach in this respect. We conduct workshops with the customer and predict potential threats (attack vectors) then suggest preventive actions. The variety of business needs and conditions require a mix of operations, which is why we treat each single customer individually.
The benefits of proper cyber security management include:
- A high level of software security
- A high level of data security
- A smaller number of errors and code vulnerabilities
- Stable operation of digital products
- Cost-efficiency – prediction of potential threats and preparing adequate preventive actions at the onset of the project require less money than does identification and neutralisation of threats when they appear
- Time-efficiency – Stepwise ensures advanced automation of many processes in cloud services. This allows maintenance of a high security level without additional specialists and time monitoring all components of the system
- Legal security
- Avoidance of fines
- Trust of customers and partners
- Increased company reputation
How can Stepwise help your company ensure software development security?
Your company will be able to develop smoothly once you gain the essential knowledge of securing your applications and data. Stepwise will prepare your organisation for conscious cyber security management of cloud native software.
We will advise you which employee activities translate into a lower risk of data leakage, and how to adjust business processes to meet the highest of security standards. We will adapt your technologies or prepare new software and provide you with the best solutions within cyber security.
This is not all. After preparing the infrastructure and applications, it is necessary to monitor systems regularly and to respond to violation attempts and other cyber threats. Why is that so important? Technology is constantly being developed, legal requirements are changing, the skill level of hackers is increasing, meaning that software security management in the cloud should also be treated as a process that has worth in being improved. Contact us, and let us secure your software, business and customers.