Digital security received a lot of media coverage recently. From the Target incident in 2013 to the San Bernardino iPhone controversy earlier this year, people are concerned about protecting their sensitive data and they want to know who has access to it. Some have called this “The Summer of the Hacker.” If you develop software for a living, then you play a critical role in protecting other people’s sensitive data. Whether you’re a coder or not, there has never been a better time to evaluate your own security practices and to brush up on the underlying technology.
start with the fundamentals
Those who know me will tell you I’m a pretty big sports fan. Great players and coaches at the highest level of sport are committed to the fundamentals – strong dribbling, crisp passing, driving through the tackle – they have mastered these things. As technologists, we don’t all need to be experts on cryptography and encryption algorithms – there are plenty of really smart people out there working on those things. We should however, have a working knowledge of the fundamentals of encryption and data security, as well as the best practices that help keep bad actors away.
Have a working knowledge of SSH, SSL, TLS and public key encryption – For most developers 90% of what you do from a security perspective involves these technologies. Knowing how they work and what their strengths and weaknesses are is essential. We should drill these things, just like dribbling around the cones at soccer practice. There are some great free resources available to help you get started, or to give yourself a refresher course.
Use strong passwords, change them often – Self-explanatory.
Never commit secrets to source control – If you feel the urge to do this, resist. The Internet is full of horror stories from developers who made this mistake and got hacked. There are better ways to manage access. For example, In the AWS world use IAM (Identity and Access Management) Roles which issues a temporary credential with access to only the resources you authorize – this is a great solution for DevOps. Secrets like production database passwords should be injected into apps at deployment time from a secure location like object storage (S3), not stored in source control.
Use multi-factor authentication (MFA) – if the bad guys somehow get a hold of your credentials, MFA stops them in their tracks. In addition to stealing your password, now they must also pilfer your smart phone or guess a second passphrase. Most hacks are crimes of opportunity, just like a smash-and-grab in a grocery store parking lot. If the perpetrator runs in to something hard like MFA, they will probably move on to an easier target.
build securely from the beginning
When starting a new software project, many people simply grant full access to all resources with the intention of locking things down later. I have been guilty of this, and learned the hard way that this is the wrong way of thinking. Early development is one of your most vulnerable times from a security perspective – you’re on boarding new people, experimenting with new approaches, setting up tooling for development, build and deployment. Things will go wrong. A developer with root access blows away your only database server, and oops the nightly backups aren’t working just yet.
Instead, start with no access and build up policies from there. Many will argue that this approach slows development velocity, but having your PaaS account hacked is a velocity killer too. A competent engineer can create reasonable access policies, giving you a lot of protection, in a day or two. Plan for this critical activity up front and treat it like any other high-priority feature or user story.
encrypt all the things
Encrypting data used to place a heavy burden on system resources, and architects had to make hard tradeoffs between security and performance. Not so much any more. Computing power is cheap and elastic and performance has improved to the point where Netflix is now encrypting it’s video streams.
Protect data in motion – Data traveling on the network should always be encrypted to prevent man-in-the-middle attacks from both inside and outside your organization. This is a must in public and private clouds as well as inside your data center. Network hop between web servers and app servers? Encrypt. Microservices talking to each other remotely? Encrypt. For internal systems, consider rotating your certificates and key pairs regularly as part of DevOps automation.
Protect data at rest – We used to store data in places that were centrally managed and controlled like monolithic databases and file systems in private data centers. Today’s application data lives in the cloud, in Dropboxes, on smartphones and in web browsers. Protecting sensitive data in the wild is essential. In the age of cloud computing and open APIs we must also redefine “sensitive data.” It is no longer good enough to only protect personally identifiable information like name and SSN. Seemingly benign data like a surrogate key, combined with public APIs, can be manipulated to expose sensitive data in unintended ways.
Whether your app lives in the cloud or in a private data center, security must be a first-class citizen. Make the investment up front and avoid becoming the next Target.
About: John Jacobs is a Principal Architect at Credera. He doesn’t code encryption algorithms, but he will build you a beautiful, secure app. Read more about Credera’s perspective here or visit our company page on LinkedIn.