Hackers are constantly looking for vulnerabilities in systems to make a devastating attack. Read about ensuring continuous security of application and compliance with the GDPR to ensure that your business is secure.
From the article you will learn:
- on which areas of cyber security should your company focus,
- how you can avoid or minimize the cybersecurity risks,
- how to ensure the security of your resources and systems,
- what a continuous pentesting is and why it can be crucial for you.
While you are running the business in the XXI century, you become more and more technology aware. If you are in the process of digital transformation because you are either developing web/mobile application or changing the existing one, you might realize (or not) that with great opportunities that high technologies bring to your business they also bring great risks that need to be faced… Cyber attacks and issues related to GDPR compliance might be a huge headache of contemporary digital products in the form of web or mobile apps, SaaS platforms, IoT. And there is nothing to suppose, because it really is.
Security of small, medium and large companies
On average, a hacker attack occurs every 39 seconds. And what is more 43% of cyber attacks target small companies and the cybersecurity company Lemlock confirms that fact. It was observed how not only large companies like (i.e. Maersk or Renault) but also small ones (i.e. attack on Green Ford Sales, car dealership in Kansa or attack on Wright Hotels, a real estate development firm) become a target of cyber crimes. Such hacker attacks are devastating for the company regardless of its size, influence or reputation. It doesn’t even matter whether your business originates from logistic, finance or e-dating sector as long - as it is related with money, it is related with benefits that the hacker might get while taking advantage of your vulnerabilities.
Moreover, with the advent of GDPR, you also need to face additional thread related to proper care of your users' privacy. Google was already forced to pay €50 mln EUR fine for not properly disclosing to users how their data is collected across multiple services. It is a large player on the market and it would seem that it is able to adequately protect its resources or systems not only against suspicious and criminal actions, but also against irresponsible data management, data breach, and non-compliance with GDPR laws. As it turned out, money can't buy happiness (or luck!) and even Google fell victim to sloppy care for the privacy of users.
Cybersecurity in application development
It is worth asking yourself a very important question here: how can you avoid or at least minimize the risks that your system can be hacked? And another one: will you be able to properly take care of users privacy? To answer this question, imagine such situation and ask yourself: what do you do if you are going on a long Holiday to warm the sunny Canary Islands and you don’t want anyone to break into your house once you are out? The simplest answer is you go and check if all the windows (not to mention the door...) are locked.
It was just a metaphor to make you realize that you can do the same thing with your digital products. You can check if your apps are “locked” properly by performing a security audit (aka penetration testing or pentest) against your system. Such pentest is a verification method which bases on performing real cyber attacks by dedicated cybersecurity firm or specialized agencies, in order to tell you what are the weaknesses of your system and how to address them. Getting back to our home example, asking for the support of a cybersecurity company is the same situation when you are in the car just before you want to go for a holiday and ask your wife or whoever of household members who is just leaving the house - “Could you check if I closed all the windows?”.
And now you know that you can check whether my system is properly locked from the cyber attack, so probably you are wondering if you can also check whether the user privacy is handled correctly too, right? Yes, you are right. Some cybersecurity firms provides service which allows you to check whether your system architecture, databases, servers, backups, etc. address GDPR requirements like Privacy by design and default or user provisions. But what if you are in the middle of the application development process?
How to add new features to the application in a secure way?
That’s fine, again going back to our metaphor with holidays and home, so you check that all the doors and windows are locked and you can go for your dream holidays. But what if while you are on holiday you have ordered some workers to renovate your bathroom. Let’s say that you did that on purpose to have it done while you are away because you didn't want to stay in a house without a bathroom for several days. So you took the opportunity to have it done while you are away. But maybe you are wondering if after the employees finish their work, will they remember to close all the doors and windows in your home? You're not so sure, so you ask your neighbor if s/he can check every time they leave if everything is properly closed.
Security audit and GDPR compliance audit
So now we will transfer above case to the situation with your digital product or application. Let’s say you want to go live with your app. So in order to do that in the secured way you ask cybersecurity agency to do both security and GDPR checks to avoid the unpleasant situation in the future. The agency provides you with the reports containing all the things you need to do to increase the security of the application and also recommended to repeat the check after 6 or 12 months (depending on the type of your system). So you have all the issues from the report fixed and you are happy because for a longer period the cyber protection aspects of your platform will be fully addressed.
Continuous Integration and Continuous Delivery in application development
However, it is quite common that during the application development process you have already gone public with your app long before it was finally finished and you plan to keep adding new features to your system. This is a common scenario especially if you are taking Continuous Integration, Continuous Delivery and scrum approach into consideration where you deliver your product on the market within small iterations instead of creating it all at once. This approach allows to minimize the risk of failure and better adapt the application to end users, as well as enable more effective introduction of new features to it. Those new features, due to the dynamics of their development, are often not taken into account during the application security audit, and thus pose a potential threat.
The importance of Continuous Security in application development
So, what is worth doing in situations when we are constantly developing the application with new functionalities? Is it worth to perform an application audit every time a new release takes place? Well probably that would be the best option but if we compare it to our vacation example is like getting back from your holiday everyday to check if the doors are locked. This might take a lot of time and increase your Time To Market not mentioning the costs
Ask your cybersecurity agency, if they can support you in a “continuous way”. At this point, I am thinking of constantly popular service of continuous pentesting and continuous GDPR check. If your agency does it, then they know your system very well and can focus on new functionalities. Moreover they have most likely prepared some scripts while they were doing initial security test so they can also verify in a quick way whether new functionalities affect security of the existing one (so-called regression testing). In addition, the cybersecurity company can provide the developers team with recommendations and instruct them how to add new functionality to the application with the cybersecurity in mind.
Is it worth constantly checking the security of the system?
This helps you to address your needs in a lean and quick way and makes your cybersecurity partner an integral part of your team. It also allows you to reduce costs as you don’t have to perform heavy application security audits each time you release a new version but handles your cybersecurity and GDPR challenges in an ongoing way.
The issue of continuous security should not be neglected, especially that our application can change dynamically as the needs of our customers or market needs. The hackers are also dynamically acting, still looking for new vulnerabilities. That is why it is always worth having continuous cybersecurity support or a neighbor with you who will not let thieves break into your home. And you will be able to rest peacefully on your vacation.