Misunderstandings and Obstacles
In this blog post, we are going to discuss security as regards making safe websites, web apps, or mobile apps among other things because this type of attack results in huge negative effects such as loss of trust by customers, financial losses, exposure of user information, etc.
Now, if you do a quick Google search on how to secure your website or application, you’re going to get a lot of garbage. I was disappointed at the click-bait articles that did not explain or provide any useful information. Most people are advised to use backups and strong passwords as well as to ensure HTTPS is used, but backups do not protect your website and they only facilitate recovery. Another way is through employing HTTPS which encrypts messages though it does not actually protect your website.
The only useful tip was to use strong passwords, but most hackers are not going to sit down and try to guess the password as you see in Hollywood movies. They’re going to rely on vulnerabilities and weaknesses within your application and exploit them to gain access, regardless of what password you use, even if it’s very complex, and even if you’re using HTTPS and have backups. A lot of this is irrelevant.
Also, it doesn’t matter where you host the application, whether you’re using AWS or any other cloud provider. And it doesn’t matter how you deploy the application, whether you’re using Kubernetes or Docker; it doesn’t really matter. Securing websites and their respective applications is the vital step of protecting these web applications from security breaches. Let us look into this. In any case, let us talk about how websites and applications can be actually secured.
The Search for Improved Security
It is unrealistic by 100 percent as a point that needs to be understood before we can get to the core of the matter. We are simply doing what we can to upgrade application security in order for them to feel more secure. With that being said, the following four approaches will help you improve the security of your applications, regardless of their type or where they are installed like I said, whether on Amazon or elsewhere, and regardless of how you deploy them, whether using Docker, etc.
1. Writing Secure Code
The first thing you should do is make sure you are writing secure code. This way, your application is built from the ground up to be secure and does not introduce any bugs or vulnerabilities that can be exploited by hackers to gain access. Now, this would be great if you could do it, but the problem is it’s easier said than done because developers need to be educated and taught the methods that hackers use to exploit systems and gain access. And even if you do that, a lot of the time, developers rely on third-party libraries and the whole application might be written by someone else. Therefore, you simply cannot write secure code because you’re not the writer or developer of this application, which brings me to the second point.
2. Code Review
Review the code. This is actually really good, even if you wrote the application yourself and even if you made sure that you wrote secure code, it’s a good idea to get that code reviewed by other developers or another team just in case the developers that wrote the application missed something or overlooked something, then it’ll be caught at the review stage. Also, if you are using code written by other developers or third-party libraries, then again, a code review will fix this problem because you can review everything.
3. Penetration Testing (Pen Test)
The third approach, which is very essential in my opinion, is getting a pen test done. In a pen test, you hire a team of ethical hackers to try to hack your application. These ethical hackers will approach your application the same way that black hat hackers do. They’re going to try to gather as much information as possible, discover all the weaknesses and vulnerabilities, and see if they can exploit them to gain access. In the end, when they’re done, they’re going to give you a detailed report of everything they found so you can pass it to your developers and patch any vulnerabilities they discover.
The main advantage of this method is that you can test attack surfaces that you cannot test with other methods, such as your servers that are running your web application, and the weakest link, which is the employees. So these hackers, the ethical hackers, can even use social engineering and chain it with other simpler attacks or simpler vulnerabilities that they might find on your system to see if they can use them to gain access. The disadvantages here are that it could be a little bit expensive and it’s not future-proof. What I mean is if you get your application tested today by really good ethical hackers and then make sure you patch every single vulnerability they find, this only means that your web application is secure today. It doesn’t guarantee that it’ll remain secure for the next month or next year because every single change you make, every feature you push, or even display bugs you fix might introduce other bugs or security weaknesses that can then be used to hack into your application. Not only that but again, if you’re updating third-party software or plugins, again, all of that could introduce vulnerabilities. A pen test will not be able to catch that because you’re only doing the pen test today, and these future changes are not going to be tested.
4. Bug Bounty Programs
The fourth approach, which can actually address this issue, is having a bug bounty program. A bug bounty program is basically an invitation to all ethical hackers around the world to test your application and submit their findings, and you would only pay for valid bugs or valid reports. The main advantages here, as you have probably guessed by now, is that you’re getting your application tested by a large number of hackers, so the chances of them finding vulnerabilities are higher, and it’s actually future-proof because as long as you have that bug bounty listing live, these hackers will always continue to test your application. And you motivate them with bounties, so these could be anything from a T-shirt to actually monetary awards to make sure that they’re actually going to continue testing your application. So even if you’re pushing new changes, new features, or updating stuff, it doesn’t really matter because hackers will continue to test your application, hoping to find bugs and get bounties for their findings.
Challenges and Considerations
That’s why large companies like Facebook and Google use these bug bounty programs, even though they follow all of the other approaches. They still use this to make sure that their systems are always as secure as possible and as free of bugs as possible. The disadvantages here are that it’s hard to guarantee that all attack surfaces are covered, and second is a lot of companies don’t have the reach that Google and Facebook have, so they can’t really advertise their bug bounties as well as the big companies do. They can’t get a lot of ethical hackers to test their website. It is challenging for them to make these bug bounty programs and validate these submitted reports.
No need to be confused with the four approaches that we just mentioned, but in our opinion, ideally, you would want to follow all of these four approaches if you can, this could be pretty expensive. That’s why a lot of companies don’t do that, and they would compromise and only go with three and four. So they’ll only do a pen test and have a bug bounty program. And then other companies sometimes compromise even more and pick one of the two. Either do a bug bounty program or do a pen test. In our opinion, a pen test is not a replacement for a bug bounty program and vice versa.
I would recommend you do the two of them because like I said, each one of them has its advantages and disadvantages. But if you really can’t do both, then at least do one of them as the bare minimum. As a website owner or an app owner, you are responsible for the user data that the users are trusting you with. And therefore you need to do at least the bare minimum on trying to make sure that their data is handled safely and secure.