image from unsplash.com
In 2018, Facebook fell victim to a major security flaw found through its web application. By utilizing a flaw in the application’s “View As” feature, hackers were able to obtain authentication tokens for accounts, giving them access to any account they wanted.
Facebook patched this flaw shortly after.
Applications are difficult to make and even harder to secure. Yet, it’s vital that businesses create a secure application—not only for their users but for the business itself.
If your business is in the midst of creating a brand-new enterprise application for internal work, it’s important to secure it. But how? How does one go about securing an application that will be used by tens to hundreds to thousands of people?
First, you need to look at the application from a few different angles.
5 Security Angles to Consider
1. The Exposing of Data
Building an enterprise application from scratch requires tons of resources, time, and reorganization. After all, a business will be using the enterprise application for the long haul, and a lot of data will be moved during its development.
The security risks involved with managing and reorganizing all of that data, however, need attending to immediately. Transferring data to a new system(s) opens up the possibility of all that data being exposed to the public/to cybercriminals waiting for a slip-up.
One way to ensure the safety of the data during transfer is to make sure it stays encrypted. For example, connecting to a VPN server and transferring the data would add an entire, new layer of protection encrypting the data. This ensures the data stays out of the wrong hands.
2. The Triggering of False Alarms
The saying “it’s better to be safe than sorry,” carries weight in the tech industry. Developers and manufacturers put in safeguards after safeguard—failsafe after failsafe—in order to ensure the safety and security of users.
However, there is such a thing as being too careful, and many businesses fall victim to a sort-of paranoia when developing enterprise applications. See, proper application security etiquette demands frequent security scans. These scans help businesses catch any vulnerabilities that may lie in the application.
The problem with this is that many application scanners often come up with false positives, a danger that doesn’t actually exist within the application.
This doesn’t like a big problem at first—not until you realize that people get used to the sound of alarms quickly when it’s all we hear. AKA, false alarms will desensitize the business to the real alarms.
Avoiding this requires one of two things: a team of penetration testers that are able to verify the false alarms or a scanner that can verify its findings. I recommend the latter, as the resources required to have penetration testers test every false alarm would rack up quite quickly.
3. The Educating of Users
Those in the tech world—and probably you—live by the acronym PEBCAK. For those unaware of it, PEBCAK stands for “Problem Exists Between Chair and Keyboard,” highlighting that errors of all kinds only come to fruition through user error.
The same can be said for security issues. In fact, the infamous Equifax breach only happened because of a single employee not fixing a bug he/she knew about.
This is why it’s important for users of your enterprise application to be fully educated on cybersecurity and how to practice proper security etiquette; educating users will help prevent and user errors that would otherwise occur, reducing the chances of a major security breach.
4. The Storing of Passwords
Building an enterprise application likely means you’ll need to give login credentials to every user who will access it. This, in turn, means your application will need to be able to store password information, and this can be…frustrating.
There are many ways to store login credentials, but many of them fall flat and have significant weaknesses. You could encrypt each password, but if your business were to ever suffer a data breach, it’s likely the encryption key would also be exposed.
That’s not to say there aren’t secure methods of storing passwords. Plus, if you wanted to go even farther (which you should), you could add in required multi-factor authentication.
5. The Logging of Information
Application logs allow developers to adjust where adjustments are needed, see what tripped a security alarm, what went wrong with the application, and much more. Basically, application logs are vital to an application’s upkeep, so developers should plan for a long-term logging solution that will be guaranteed to work.
Fortunately, there are many ways to log data and store the logs. You can replicate the logs to a central server for easy access. Since you’re developing an enterprise application that will most likely supply multiple hosts, you’ll want to use software that allows you to transport large amounts of logs.
Brad Smith is a technology expert at TurnOnVPN, a non-profit promoting a safe and free internet for all. He writes about his dream for a free internet and unravels the horror behind big techs.