Cybersecurity is essential for every organization, not only for enterprises but also for SMBs and startups. Cybersecurity threats loom around businesses to take advantage of them. This is why security by design is crucial for organizations as it could reduce the overall security cost by 70% compared to adding a security strategy at a later stage.
“Cybercrime is the greatest threat to every company in the world.”
Ginni Rometty, IBM’s former Chairman, President, and CEO
Many businesses still do not have security as a priority. It is especially common to see small technology startups in the seed or series-A stage that have not implemented security into their software products. However, the lack of enough security measures may bring problems sooner or later. Moreover, it is more costly to implement security after a software product is fully built than by integrating security during the product design process.
Recently, we have seen a trend of companies focusing on specific security compliance frameworks such as ISO270001 or HIPPA. While being compliant is important, it is equally crucial to consider practical security measures to prevent potential breaches. This doesn’t necessarily mean that organizations must have a big security budget. In this post, we will discuss 10 cost-effective security tips that businesses can easily implement.
- Access Control: It is important to consider strengthening access control for software engineers. For example, key management for cloud resources and IAM (Identity Access Management) settings on AWS would help to control who can access and make changes to the software code. One of the common mistakes from a lack of access control is that an engineer accidentally includes the key file on a GitHub repository.
- Code Validation: Coding is a lot of work so security validation on coding may seem overwhelming. However, there are many open-source tools businesses can utilize. OWASP has a list of recommended source code analytics tools. If the software product has already gone live and it is difficult to run open-source tools, we recommend doing a penetration test that can assess the security status without interrupting the ongoing business.
- Up-To-Date Servers: Once servers are installed, they often do not get updated. However, using the latest versions of the server’s operating system software is important as the new versions often have security patches. So the server OS should always be up to date. If organizations employ containers, such as Docker and Kubernetes, version updates are even more important. (Warning: If you don’t push Docker updates, it will revert back to the initial state. A colleague experienced his Docker going back to the original version after patching and rebooting because he forgot to push.)
- Verified Open-Source Tools/SDKs: Even if every possible security measure is in place, attackers can still penetrate via open-source libraries or SDKs’ vulnerabilities. It is costly and time-consuming to change or replace them after they are installed. So it is recommended to verify the security status of open-source tools and SDKs before employing them in your systems.
- Integrations and Access Validation: There are many API and other integration options available for developers. However, convenient integrations can also come with security problems that software engineers may not be aware of. For example, some unvalidated Slack integrations can leak confidential information. To avoid any possible breaches through integrations, organizations must validate the security status and control the access of integrations.
- MFA (Multi-Factor Authentication): We often hear news about compromised business accounts due to weak security measures. Using MFA can prevent over 99% of such account compromise attacks. Organizations tend to shy away from MFA because it creates a rather inconvenient user experience. However, adding inconvenient security measures also creates obstacles for attackers.
- Traditional Code Languages: There are many new programming languages in the market, such as Kotlin, Crystal, and Rust. Here at SEWORKS we also like experimenting with new programming languages and test them frequently. However, these new languages have a higher likelihood of having unknown vulnerabilities. Traditional coding languages such as Java, PHP, Python, C++, and C# have known vulnerabilities that have already been reported and patched. For these reasons, we recommend sticking with traditional programming languages when security resources are not widely available internally to verify the security of new languages.
- Firewalls: Many organizations are under the false belief that firewalls will prevent every possible web attack. However, attackers are smart and know how to evade firewall defenses. Furthermore, web firewalls sometimes provide a means for attackers to gain access into the corporate network. Instead of solely relying on firewalls, organizations need to have a dynamic system in place that can properly react to various attacks.
- Bug Bounty Programs: Bug bounty programs are useful to discover security vulnerabilities and weaknesses in the system. It entails hiring bug bounty hunters (ethical hackers) and paying them by the number of vulnerabilities they find. HackerOne and BugCrowd are some of the well-known bug bounty platforms. Some companies including Google and Facebook organize their own open bug bounty programs where they invite anyone to participate in and submit the findings. One thing to keep in mind is that using bug bounty programs will not solve every security problem. There is also a risk that some unethical hackers would find critical vulnerabilities and sell them at an underground marketplace or even threaten the host organization.
- Consistent Monitoring: The most important factor in security is consistent monitoring. After putting appropriate security defenses in place, organizations should constantly monitor the security status of their systems. Cybersecurity is not a one-time effort, but an ongoing activity. Please remember that it takes only one successful attack for attackers to compromise your system.