Upon starting a new conversation on WhatsApp, one of the first things you see is a yellow banner that reads, “All of the messages in the chat and calls are now secured with end-to-end encryption.” While this should give you a boost of confidence, the fact of the matter is that it is quite the contrary. Last week, WhatsApp was at the center of controversy when it was discovered that security flaws allowed hackers to manipulate people’s voice messages, pictures, and videos.
Therefore, even though WhatsApp messages are protected by end-to-end encryption, it gave users a false sense of security. In this article, we will give software developers some tips on how to secure their code, in order to ensure cyber criminals will not be able to hack the end user’s device.
The old adage in software development is that you need to include all of the features you planned from the outset, build them at a high-quality level and get the finished product to market as fast as possible. This is the definition of success. However, where does security fit into all of this? Nowadays, deadlines and features drive the development process, causing security to be left by the wayside. One of the most important things to keep in mind is that quality does not equal security. Increasing the quality of your product will eliminate issues that may be caused by defects, but the quality assurance process does not usually take hacking into the account.
Therefore one of the most important things that you need to do prior to the product’s release is to conduct a thorough security code review. Similar to proofreading an email before hitting send, your app’s code ought to be reviewed before releasing it to users. Such a code review will not only be able to detect security flaws, but also any inconsistencies in the logic and the business code. While it is tempting to only use automated technology to check the code, the best practice shows that it requires both a static analysis as well as a manual review.
Of course, such reviews do not have to wait until right before the release. It is a good idea to conduct manual reviews whenever you introduce any new changes. This will save you a lot of time, as you will likely be reviewing the app in sections. Therefore, it is recommended to devise a comprehensive checklist and enforce time constraints for manual testing. If you have a massive application, testers can tire fairly quickly, decreasing the effectiveness of their bug hunt.
Penetration testing is extremely helpful in discovering vulnerabilities before they snowball into large problems, such as data breaches, enabling you to see if your patching policies, data encryption techniques, and other security measures can withstand the threats posed by modern hackers. Let’s take a look at some of the best practices one should follow when conducting penetration tests.
First of all, you will need to identify the scope of the test. If you are using a third-party contractor for this, they will usually give you a questionnaire to fill out, but you can also handle this part yourself. The point is to identify the parts of your application that will be subject to the penetration test. Once you have this figured out, you will need to choose the type of test that you will be conducting:
- Black Box Test – The purpose of this test will be to assess the security level as it appears to a third party connected to the internal network. It is done without having any knowledge of the tested environment.
- Grey Box Test – This test is performed with some knowledge of the tested environment and will be done from the perspective of an account-holding customer.
- White Box Test – The tester knows all about the infrastructure and design of the environment.
After conducting the penetration test, your team or the security vendor should provide a detailed report of all the findings. This will include an executive summary, describing the overall health of the code, with a list the itemizing all bugs that need to be fixed immediately. This report will also include a technical review, showing all of the activities that were performed as well as the results and the methodologies that were used. Finally, it should also include recommendations on how to remediate the threats. These recommendations should be practical steps one can take right away to minimize the risks. Usually, the IT department will be most interested in the list of vulnerabilities and recommendations, while C-suite executives will be interested in the summary.
A bug bounty program allows you to incentivize hackers to uncover and report bugs in the code. While this is done after your software has already been released, it is still a good practice, as far as secure software development is concerned, as you alone may not be able to uncover all of the issues that a decentralized army of ethical, “White Hat” hackers can. The probability of vulnerabilities and mistakes being discovered before they cause damage is much higher when you offer bounties to a decentralized network of White Hats. We believe you will be able to sleep better at night knowing that the uncovered errors were resolved before they were used to wreak havoc on your systems and customer data.
It is paramount that security practices play a larger role in the software development cycle. Given the large number of threats that companies face daily, it is important to verify that your software is as secure as possible. Therefore, we recommend developers to test early and test often, removing time-to-market delays. We are confident that any additional time and resources spent on verifying the security of your app will pay huge dividends down the road.