Secure coding

Top 10 Questions to Ask Developers About Customer Data Security

Dimitar Kostadinov
December 23, 2017 by
Dimitar Kostadinov

1. What security features and controls are built into your product?

Every software product should include the following aspects:

  • Basic security measures
  • Security measures to ensure compliance with governmental regulations and privacy requirements (See the "Honorable Mentions" part)
  • Software features

You need to be familiar with every new security feature, especially those that may change the dynamics between the product and customers. To illustrate this, we just need to imagine how the implementation of two-factor authentication may slow down low-end performance devices every time users attempt to access sensitive sections of an app. While this security measure adds an extra layer of access control, the example demonstrates a typical trade-off between security and convenience.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

Irrespective of whether we talk about applications, cloud services or devices, collecting and storing data in a safe manner is of paramount importance. To access an app through authentication mechanism based on username and password, for instance, developers need to store these credentials on a server which securely connects to the app; therefore, both the app and the cloud storage facility need to maintain a high level of data security.

Mobile devices are susceptible to unauthorized access to cached information because they tend to retain short-term information for more extended periods. To avoid security breaches, developers can mitigate the threat by programming an app to wipe the cache every time the mobile device reboots automatically or by adding a password to the app functionality.

Anti-reverse engineering mechanisms may save your business and reputation since you will be held liable by users if your product or service becomes a victim of malicious copycats.

Developers must put controls in place that prevent client data record from being corrupted during input and output of data. SQL injections and cross-site scripting present a serious concern. When coding, the developer must take into consideration that the system that provides control checks should have the capability to demonstrate and thus validate this process.

Doug Tidwell, a software engineer at IBM, advised that "[t]o ensure that malicious scripting code is not injected into your page [during a cross-site scripting (XSS) attack], your best line of defense is to encode all variable strings before they are displayed on the page. Encoding merely means converting every potentially dangerous character to an HTML entity."

Physical Security Breaches

Only 10% of North American developers (and only 4% of them being employed by large companies) place physical security at a central position with regard to access control on mobile devices.

Truth to be told, developers cannot prevent the theft of mobile devices. What they can do is to install a local session timeout code that will ask users to re-enter their password to obtain access to an app periodically.

2. Do you encrypt data?

Developers often come across some problems when integrating encryption into their applications. Even software code, however, must be protected with encryption based on well-supported algorithms combined with API encryption. Obfuscation and minification techniques are sometimes not good enough to repel more sophisticated threats. It is imperative to encrypt data in its every state – in use, in transit, at rest.

Apps that require users to input sensitive data (e.g., bank card or Personally Identifiable Information (PII)) must invest in reliable encryption techniques. Such information is better not to be stored directly on a user's device unless its storage capabilities are really reliable (like encrypting user data with keychain for iOS).

Photo by U.S. Army RDECOM / CC BY

File-level encryption is a tool that works on a file-by-file basis, and it is particularly useful for protecting data at rest.

Containerization is a type of virtualization strategy that creates separate containers at the operating system level, which can be encrypted, and it is a viable alternative for securely storing data and documents.

Data federation is a security measure for decentralized storage of data that spreads out critical resources across numerous serves and operates using a database that contains metadata about all the remote data.

Photo by Secmeladm / CC BY

VPN, SSL, or TLS add extra security when it comes to encrypted connections. To elaborate on SSL certificates: it is essential to implement proper SSL libraries, especially in the context of mobile applications where users are more prone to hacking via insecure Wi-Fi connections. Most users do not know about HTTPS encryption. Nevertheless, despite their ignorance, you yourself must implement such an indispensable security mechanism; otherwise, the very same users may file a lawsuit against your company. Consequently, leaving the enforcement of this security measure at users' discretion is not always a good idea.

It should be noted that key management is also essential since your algorithm protection will be utterly useless if keys and certificates are exposed to hacker attacks.

3. Where is the customer data stored?

This question is about the whereabouts of the storage facility where the data is located. This matter is urgent because jurisdiction defines customer rights regarding data protection and privacy.

As an illustration, one can compare the data breach notification laws in the U.S. and EU. Only eight states in the United States have laws that require disclosure in the wake of a data breach (time to report: 15-90 days). That was the reason, among other things, why some notorious cases of a massive data breach had been going unreported for longer than usual (Equifax, Yahoo, and Target to name a few). On the other hand, the EU General Data Protection Regulation (GDPR), which will come into force next year, will require companies affected by a data hack to notify customers within 72 hours after discovering it.

4. Do you apply database and application segregation of customer data?

First, customer data should be separated from other data. Second, you should be able to access data for a specific customer without accessing any other irrelevant customer data. For these reasons, many companies prefer to arrange their data in silos that logically segment customer data. Cloud, for example, is like a bank depository – it is one vast infrastructure but with a myriad of security lockers structurally separate from one another.

Office 365: Microsoft enterprise cloud servers are physically and/or logically separate from the servers for its consumer online services. Enterprise customer data, data in Microsoft consumer online services, and data created by or resulting from Microsoft scanning, indexing, or data-mining activities, are not commingled unless approved by the customer in advance.

Source: Enterprise customer data, data in Microsoft consumer online services, and data created by or resulting from Microsoft scanning

The implementation of this infrastructure should begin from the initial stages of product/service design. The mere existence of separate environments will most likely reflect on the backup strategy as well.

5. What are the backup plan and failover capabilities?

As with encryption, developers have no excuse if they decide not to include backup and recovery features.

Photo by IWikiVV-5

/ CC BY

Failover is a procedure that makes an app or service more fault-tolerant. As a backup operational mode, failover serves as a natural switch between two system components – primarily and secondary. When the primary component is unavailable (because of failure or scheduled downtime), the second one assumes its functions.

This is a part of the business continuity plan, and the procedure is as seamless as possible to end users. Duplicating production services incurs extra costs and other management expenses.

6. Is there a functionality to provide legally admissible forensic data?

In the event of a security incident, legal issues usually arise and that is why there need to be technical and procedural measures that will ensure data related to such an event will not be altered. Furthermore, all actions of collecting relevant data after the incident should be recorded to ensure that the evidence will be admissible in court.

7. Do you use code from other developers?

Often it is time-consuming to create an app from the ground up. As a typical business practice, companies leverage open source components. Even though this may help developers meet deadlines, it remains a risky business because of security flaws embedded into such a code, either deliberately or accidentally. Keep in mind that some hackers try to plant a backdoor in your product by creating a malicious but innocuous-looking code that sits quietly in open source databases in the hopes developers will pick it up and use during the app creation process. So third-party software, although convenient, may cause mayhem if the source is not verified.

Photo by Jessica L. Tozer / CC BY

Up to 97 % of Java applications contain some sort of known vulnerability. This statistic has been derived from a single code-level analysis, but it alone is enough to show how this practice creates a systematic risk. Open source components have an essential role in the process of software production; however, companies should come up with solutions on how to make this process safer.

Sandboxing is a favorite tool that will allow the development team to evaluate new code against the company's security policy.

8. Do you conduct security testing?

The developer should never rush to release a software product before they have properly tested it; otherwise, they will put their future customers at risk. Secure coding and anti-coding patterns could deflect lots of attack attempts, and the use of static code analysis tools could identify security flaws.

The testing phase will be more successful if the product undergoes tests against manual security testing, third-party tools, and proprietary tools. You need to know whether the third party's code integrated into your system, if there is such, had been tested and if the said third party is providing security patches.

Photo by Cliffydcw

/ CC BY

Third-party security assessments are becoming a mandatory requirement. Red teams are internal groups of experts that assume the role of malicious users and attack the company's product prior release. Although it is a growing trend, only 20% of all IT companies use them to complement the security assessment. Do not forget about penetration testing.

People who browse through the crash and debug logs during testing should not allow untrusted parties to see that information since this information gives an account of potential app vulnerabilities.

Unfortunately, almost no company have integrated security reviews at each phase of the software development lifecycle. Even companies like Microsoft have done so only concerning a small portion of their applications. Believe it or not, most software development teams do not regard security testing as their responsibility. The result – "The U.S. Department of Homeland Security (DHS) states that 90 percent of security incidents result from exploits against defects in software."

Conduct a True Security Audit

A stringent security audit usually requires a comprehensive review of these components: software/plugins that encrypt sensitive information, algorithms, access and server logs, LAN and WAN network topology. Moreover, relations with third-parties and internal processes (such as disgruntled employees) are factors to be considered.

9. Do you release security update?

Whether a zero-day vulnerability which may endanger your product become known or someone has been negligent during the development phase, developers will need to release security updates regularly. The faster, the better, since hackers do not stay idle when they smell blood.

Most vendors do not offer fully tested patches. Those who offer may not do so promptly. Different phases in the process of releasing patches may take longer. For example, Apple's approval of security updates can take as long as a week. In fact, most exploit kits succeed to affect targeted products and services because a patch for some existing exploits is already available, but it has not been deployed yet. Besides, you must consider the fact that users must accept and download the patch – an action that does take time as well.

Photo by Silcon / CC BY

Consequently, the development team must stay on top of new security updates and release patches for their products regularly, if they are to avoid catastrophic consequences.

10. Does your development team go through security training?

Less than 5% of companies' software development and testing teams are focused on security. It seems that they yield precedence to other software quality aspects – performance, reliability, functionality, accessibility, usability.

From a developer's point of view, security could be a hindrance that slows down rapid software development. Often, security considerations are being addressed at some point later in the software development cycle. As a result, 85% of developers that participated in one survey stated that they had spent time remediating vulnerabilities, which in turn impaired their ability to deliver high-quality features and products on schedule and within budget.

Results clearly show that eLearning /6x/ and remediation coaching /1.5x/ are measures that have contributed to flaw density reduction among development teams. Organizations need to provide developers education opportunities to extend their skill set and teach them more about different vulnerabilities and how to remediate them. In effect, because the developer will have direct impressions and better comprehend vulnerabilities and risks, this would-be remediation coaching that will most likely motivate developers to fix the flaw. "For instance, a developer will be more incentivized to remediate a cross-site scripting (XSS) flaw when he understands the risk that it poses to the organization, product, and/or its user – especially if it could impact the delivery schedule."

***

͠ Honorable Mentions ͠

/albeit not precisely developer-related/

Who is the owner of customer data?

Seeing it through the prism of the Internet of Things, there is no simple answer to this question. Customers are always advised to glance through the contract or terms of services and determine for themselves what is written there on the matter of who owns the data. If they are not granted full ownership, they should prepare for instances of third party access to their data, to say the least.

Online platforms/apps sometimes "assume" de facto ownership. Take for example Facebook. Its terms of service states that Facebook obtains a "non-exclusive, transferable, sub-licensable, royalty-free, worldwide license" to its users' photos. Users still retain some control over Facebook privacy settings. It is precisely the role of the developer to ensure that these privacy settings exist and work correctly so that users can exercise control over their data.

Does the software comply with all laws and regulations?

Some software solutions should comply with specific laws, such as HIPAA, PCI DSS, and FISMA, or/and standards (e.g., ISO/IEC 27001:2005 standard). U.S. companies that offer their services/products to EU citizens should abide by the EU Data Protection Directive (the GDPR from 25 May 2017 onwards), and it is advisable to become part of the EU-U.S. and Swiss-U.S. Privacy Shield Framework if they transfer personal data outside of the EU.

Particularly important from a developer's point of view, but more so in the EU and Canada than in the U.S., is the principle of Privacy by Design, according to which data protection controls, such as privacy enhancing technologies, should be embedded into products.

Reference List

Alves, A. (2017). The 5 Questions Your Security Team Should Be Able to Answer. Available at https://www.threatstack.com/blog/the-5-questions-your-security-team-should-be-able-to-answer/ (27/11/2017)

CIO (2007). 5 Security Questions to Ask Your Software Vendor. Available at https://www.cio.com/article/2442514/it-strategy/5-security-questions-to-ask-your-software-vendor.html (27/11/2017)

Davidson, M. (2016). Vera helps developers build data security into any application. Available at https://siliconangle.com/blog/2016/03/29/vera-helps-developers-build-data-security-into-any-application/ (27/11/2017)

developer.salesforce.com (2014). Protecting Your Data in the Cloud. Available at https://developer.salesforce.com/page/Protecting_Your_Data_in_the_Cloud (27/11/2017)

Domoney, C. (2017). Redefining the role of security in software development. Available at https://www.helpnetsecurity.com/2017/01/16/software-development-security/ (27/11/2017)

Foran, J. Ten questions to ask when storing data in the cloud. Available at http://searchcloudcomputing.techtarget.com/tip/Ten-questions-to-ask-when-storing-data-in-the-cloud (27/11/2017)

getfilecloud.com (2016). Data ownership in the cloud – How does it affect you? Available at https://www.getfilecloud.com/blog/2016/11/data-ownership-in-the-cloud-how-does-it-affect-you/ (27/11/2017)

Guinness, H. (2017). Does Facebook Own My Photos? Available at https://www.howtogeek.com/304037/does-facebook-own-my-photos/ (27/11/2017)

Hoffman, G. (2016). Web security questions you should be asking. Available at http://www.cardinalpath.com/web-security-questions-you-should-be-asking/ (27/11/2017)

Katz, K. (2014). Eight security issues to prepare for in mobile app development. Available at https://www.kony.com/resources/blog/eight-security-issues-prepare-mobile-app-development (27/11/2017)

optisolbusiness.com. 10 Questions from Clients about Data Security on Cloud and How to Answer Them. Available at https://www.optisolbusiness.com/insight/10-questions-from-clients-about-data-security-on-cloud-and-how-to-answer-them (27/11/2017)

Schindler, E. & Druva Admin (2014). How Developers and IT Think Differently about Security — and Why It Matters. Available at https://www.druva.com/blog/developers-think-differently-security-matters/ (27/11/2017)

Simas, J. (2016). 5 Ways to Improve Online Security and Protect Customer Data. Available at https://www.shopify.com/blog/76002693-5-ways-to-improve-online-security-and-protect-customer-data (27/11/2017)

Shandrow, K. 10 Questions to Ask When Collecting Customer Data. Available at https://www.entrepreneur.com/article/231513 (27/11/2017)

Smith, K. (2017). One of the Biggest Security Problems Smart Product Developers Are Missing. Available at https://www.jamasoftware.com/blog/one-biggest-security-problems-smart-product-developers-missing/ (27/11/2017)

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

Wodehouse, C. (2017). 8 Tips for Better Mobile Application Security. Available at https://www.upwork.com/hiring/mobile/mobile-application-security/ (27/11/2017)

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.