Information Security : Every year, the damage to Russian companies from cybercriminals amounts to 116 billion rubles. And these are the only cases that are made public. Most often, companies try to hide that their systems have been hacked, and data stolen. Indeed, in addition to one-time financial losses, successful attacks ultimately lead to a decline in reputation and quotes.

Creating an information security system will require major financial investments from large companies and corporations: from expensive software to pentest and Bug Bounty programs. A start-up business cannot afford such expenses, and start-ups completely ignore safety in order to get to the market as quickly as possible. The balance of the cost of a software product and its security is not difficult to observe, if you follow simple recommendations. Below are tips on how not to burn through building walls and avoid banal mistakes.

Proven solutions

A good project is written safely from the first line of code. To argue about which programming language is the least vulnerable, we will not, as each project has its own way of choosing a design tool and unique specifics. General recommendation – use proven solutions . If an error is found at a low level of a programming language, it jeopardizes the entire project. Despite the fact that advanced technologies accelerate development and make it more convenient, they can cause problems with reliability and security. A small lag for a business is not critical, but it’s also not worth lagging too much. Use languages ​​and solutions that are dynamically developing and come out of testing. Such an approach will increase the stability of your development, and you will not have to change the platform due to the critical shortcomings of a language, database or other component.

User data protection

The identification and authentication subsystem is one of the most important components, as it provides access to user data. You cannot design a product so that authentication can be skipped in a critical place or parameters may be substituted. Even if you are working on an application for searching and creating music, it will be unpleasant when an attacker can log in as a user, learn about his preferences, and even more so steal his composed compositions.

Careful attitude to the data and verification of their correctness is the key to peace of mind and customer confidence. All modern applications have domestic currency or other ways to monetize. And for banking products, security is certainly one of the main evaluation criteria. A simple, forgotten check for a mark in the process of transferring the amount from one user to another can lead to disastrous consequences. A negative sign in the data sent will lead to a reverse operation: the funds from the beneficiary’s account will go to the sender of the payment.

In the modern world, attackers hunt not only for money, but also for personal data of users. Their disclosure is often more painful than the financial losses in the account. One recent example: hackers broke into Quora.com service and got access to logins, email addresses and passwords of one hundred million users. According to cybercriminals, the vulnerability is likely to be hidden in an insufficiently reliable system for encrypting user passwords. The company did not suffer direct financial losses, but lost the trust of users.

Testing

Beginner software developers always save time on testing , and sometimes even make code modifications directly to a working version of the service. In addition to errors within the code, which will certainly be, there may be problems with logic. Therefore, before starting the project, it is necessary to test it! Logic errors are not obvious and difficult to predict. It also happens that due to a minor programmer flaw when accessing a single file, the user opens the entire contents of the folder. In the automatic mode, such an error is difficult to find, because the functionality does not violate it, but the security adds a lot of problems.

Analytics – all head

Be sure to configure and constantly maintain the logging system in working condition. This is the only way to allow collecting data about users: how they accessed, why, with what frequency, what type of requests they sent. The more data you will keep in your analytical system, the more likely you will be able to calculate the attacker when you try to hack. Or, if the attack succeeds, you can figure out which vector was hit. If you are aware of your vulnerabilities, then you can eliminate them.

Backup

Do not forget about regular backups . After all, attackers may not hack the project, and use it as a platform for spreading viruses: change some data on the website or inside the application. Initially, the programmed system will continue to send infected content and, possibly, to devour itself. Search for causes of failure in this case can be very long. Much faster and safer will roll back to the safe state of the code.

Only after setting up the logging and backup systems, you can issue a “to users” service. In addition, monitoring systems (IDS / IPS) will help you protect yourself from the consequences of the negligent work of information system administrators, as well as help in product tests for errors.

Security and Encryption

Use user data encryption where appropriate. The user’s password, his personal payment information, as well as confidential correspondence must be stored in encrypted form. But here you should not encrypt the loaded public data, as their decryption is wasting resources and does not bring benefits.

One last thing: do not try to create a completely invulnerable code, since, in our opinion, there are no 100% secure projects. Extreme situations or resourceful attackers unbalance even systems that initially seemed ideal. Drawing an analogy with banking applications, we can say that the task of an IT security specialist is to make the cost of an attack many times greater than the profit that can theoretically be obtained from hacking.

Please Leave comments and suggestions in the section below.