23 January 2017
The landscape for development is changing, fast. With new buzz words, such as DevOps and the rest, there is more and more a developer needs to understand that would have traditionally been out of scope. The developer has many languages, techniques and platforms to master so security can often be over looked.
Over the next few weeks I am going to cover a number of important areas that as a developer you need to be aware of.
Security in transit
LightMedia Development work heavily in integrating legacy systems and these often have little to no security when communicating with one another. When these systems were originally developed the thought of someone conducting a Man-in-the-Middle (MitM) attack across the local network was not even considered a real risk, never mind the internet. But we live in an age where communications security is becoming more and more important especially for companies who wish to receive or maintain their PCI DSS compliance.
Ensuring your data is secure when moving across the network is vital to any system that has to maintain confidentiality of that data, ensure the integrity of transactions, and support the business goals so that users have good availability to do their work – which is pretty much every business system we have ever had to work with.
Desktop to web application
So, let’s cover some basics. You have a legacy system that has a desktop application, it also has a database that sits on the desktop computer as well. This system has worked ok(ish) is for many years, but it’s time to get it online, after all who buys desktop applications anymore? You don’t have the time or budget for a full re-write of the system, and you just want a “phase one” approach of getting it in a browser so your potential and current customers see you as ‘keeping up’ with the industry.
You find a development house, such as LightMedia Development, to take on the task of building a new web application for the desktop system to allow web service communications to take place. You now have a great looking, feature rich, responsive web application which communicates with your legacy desktop application over the internet. Your customers see a new web application that they can use from their desktop or mobile devices, not the old ‘out of date’ desktop application that remains ‘under the hood’.
End-to-end security, End-to-end Encryption
To keep the communications secure we use end-to-end security. This approach is important as it ensures the data has maintained its integrity and privacy from the moment it left one device to it arriving at the destination device. As mentioned you would not want a bank system that allowed transactions to be altered as they transfer over the network would you? Would you buy or use a system where you cannot trust these transactions?
The web application will be using the latest cryptography methods to encrypt and authenticate the traffic to and from the web application to the legacy desktop application. All communications will be conducted over a TLS protocol, and if you need to keep within the PCI DSS compliance we can work with you to ensure this is technically enforced to stop lower less secure protocols such as SSL working – while advising you on the compatibility and compliance impact of those decisions.
We can help advise on questions such as:
- Why might AES256 be better than AES128, or even DES?
- Why is a 4096 public key probably not worth the overhead for most clients?
- Why is key management actually a bigger issue than which algorithm to use?
- What impact does a newer cipher suite have on older browsers?
- Where do I get a good balance of security vs usability and convenience in regard to SSL/TLS and PKI?
You may be asking, does it matter, really? Do I need to factor in security as part of my application? Over the next few weeks as we cover other areas of common mistakes and weaknesses I hope we can ensure your answer is ‘yes’.
Read other insights