You have a great app idea, you pick the approach, the tech stack, and get going with designing and building your dream. You power through prototypes, alpha and beta releases and finally have a MVP in your hands. In today’s world, most apps are hyper-connected to third party services. Whether its for the purposes of tracking progress, keeping history or even simple integrations like social logins, you are undoubtedly going to collect user information. We are going to explore simple steps to ensure your app and your user’s information is protected.
One of the most important things to do is to be absolutely transparent with your users as to what information you are collecting and storing. Also just as important is letting them now what these pieces of information are being used for, and how long you are keeping it. This is often overlooked, but it will avoid legal and reputational headaches down the road.
Collect and Store Nothing
Well maybe that is a bit impossible noways, however collect and store as little as possible to allow your app or service to perform its function. This means you have less to protect, and possible breaches will be less damaging to your users. Some services tend to collect pieces of information it will never use, for example, if you have no need to know your user’s mailing or billing address, simply don’t collect it. Always look to get the job done with the minimum amount of personal information possible. Its simpler and easier to protect a few pieces of personal information than a huge pile of it. However everything sensitive should always be encrypted at rest as well as in transit. Look to services like Azure Key Vault to keep your secrets safe and secure!
Frameworks and Libraries
Nobody expects you to build all of your app’s functionality from scratch. There are thousands of frameworks and libraries out there which can help make your life a whole lot easier, however make sure you check whatever you intend to use for open vulnerabilities, past security incidents and usage. Large and widely adopted open source libraries are often your best bet. They are widely used are often already under a great deal of scrutiny from its development community and adopters alike.
Architecture and Integrations
Micro-services and APIs are the way to go for modern web and most any kind of application. However be mindful of how you are interacting with these services. As you build your own services and APIs make sure to implement industry standard authentication and authorization patterns. Always transact over an encrypted connection and encrypt your payload whenever possible. You might be tempted to make quick third party API calls form your client side, however opt for server side interactions whenever possible. By brokering these interaction through your own service you have less things to secure and give possible attackers less insight into what is going on thus limiting their visibility and attack vectors.
Limit Access and Keep your Infrastructure Simple
Think of your network and infrastructure as a building. The smaller its footprint, the least amount of doors and windows it has, the easiest it is to protect. The second thing to keep in mind is be careful how many people ( or in this case services ) have keys to the few doors or windows you’ve built. As cliche as it sounds, your security is as strong as its weakest link, so operate on the concept of zero trust and work your way from there. This is a very expansive topic that can take a life of its own, we might explore it together later on a another article, however for now you can check out this article from Microsoft on the subject.
There are two things you should never overlook. Those are code quality/static code analysis and dynamic code analysis also known as penetration testing. As much as you stick to best practices and community suggestions, we are all human after all which means we can unknowingly introduce vulnerabilities into our code. There are a ton of free libraries and services out there which can help with code quality and ensure you are writing efficient and safe code. I personally swear by SonarLint but there are many other alternatives out there. For dynamic code analysis or penetration testing free options are less abundant however not completely nonexistent. This second security measure is often performed by firms which employ white hat hackers complementing security scanning software to try and compromise your systems and data.
Keeping your systems secure is an endless affair. You should periodically review your code and third party libraries for vulnerabilities and keep improving its security. Attackers are constantly evolving and finding new ways to attack systems and applications, you should do the same. If you find it first, you get to fix it without much fuss, however if someone finds it for you, well that could be a problem depending on who that someone is. Its easy to be discouraged while researching topics of application security, you can never have a perfectly secure system, but by following suggestions like the ones presented in this article, as well as industry standards, you should be OK!