How to develop your app using secure by design principles //09.09.20
The modern consumer is more demanding than ever before. They’re better informed. They’re used to instant gratification. And they expect to be able to react to personalised ads and buy things in the moment.
In one sense, this evolution has led to a culture of innovation for app development, encouraging developers to experiment with creative features. But it’s also led to a dangerous misconception. That on the road to innovation, cybersecurity will slow you down and lead to disappointment for your end user.
But that’s simply not true. Because while the modern consumer does expect innovation, they also tend to buy from businesses they trust. And the best way for companies to wave goodbye to their customer’s trust is to skip on security and suffer a data breach.
Most forward-thinking businesses now realise that for too long the scales have swung towards speed rather than security. To redress this balance, they’ve started to embrace security by design principles. This involves a shift in mindset and a move away from thinking about security in a reactive way towards thinking more proactively. Rather than suddenly deciding to protect your app a week before its launch, security is a constant factor.
Developing an app that’s secure by design also requires businesses to become more inclusive and collaborative, as responsibility for security has to be shared across the company. Rather than being a job for the head of security alone, product managers, designers, developers and QA engineers (among others) should work with cybersecurity in mind. This is important because vulnerabilities can creep into the code at different parts of the development journey.
Embracing security by design in practice
Designing and developing your app using secure by design principles doesn’t guarantee that hackers won’t attempt an attack. But it will give you the best odds of successfully countering one.
In practice, you should think about the security implications of the features you’re adding and put yourself in the hacker’s shoes. Could they turn into an attack vector for a bad actor? And how much skill would an attacker need to succeed?
You should also think about the landscape beyond the app itself. Yes, you need to secure the sensitive code, user data and other cryptographic key materials within the app. But you also need to consider communication with the server and server-side security. After all, bad actors can hijack sessions with a server. They can make rogue transactions. They can even send fake data to servers in order to compromise the client.
And what about the environments that your app will be used in? It’s possible that your end user could be using a jailbroken device or a device with an outdated operating system with security breaches. They might be using a weak, insecure wifi connection. Or they could already have dangerous malware installed on their device.
The beauty of security by design is that you ask yourself questions that you otherwise might have ignored. And by answering them, you create a safer app for your end users.
Futureproof your business with security at the heart
Taking a secure by design approach matters now more than ever. COVID-19 has led to a huge spike in the number of cyber attacks. At one stage, Google was detecting 18 million malware and phishing messages per day related to the pandemic. It’s a reminder that hackers look to profit from wider societal issues and anxiety. They know that people are more trusting during a crisis and therefore are more likely to open phishing emails or download fake apps.
At the same time, we’re heading toward a world where 5G ushers in millions of new smart devices and associated apps. In this new world, security by design looks set to be even more important. As users delegate more everyday tasks to apps, they’ll expect their data to be safe.
All app creators have a responsibility to do everything they can to make life harder for hackers. And the best way to do that is to consider how to block their attempts at the very start of the development journey.
The old way of thinking about app security won’t succeed anymore. Only businesses that realise there’s room for security on the road to innovation will thrive.