November 30th is Cybersecurity Day and we think this is an ideal opportunity to reiterate the security fundamentals. So based on the experience of our colleague Ján, who manages all our servers, we’ve compiled a quick checklist with practical recommendations to increase data security in your projects. Whether you’re an experienced developer or an IT novice, we believe these steps will help protect your projects.
1. Securing work equipment and processes
Security begins with the programmer: The basis for the security of any project is the security of the device on which you’re developing it. This includes using strong passwords (don’t use weak passwords even during app development – you may forget to change them later), firewalls, antivirus programs, and connecting exclusively with a VPN. Caution when accessing admin accounts and using apps from reliable sources is also important.
No unencrypted communication: To protect communication and access to databases, it’s always necessary to use encryption (SSH or SSL). You should also emphasize the correct use and (non)circumvention of safety certificates. Certificate verification is sometimes deliberately omitted during development because of the speed of processes. If you forget to add this functionality when publishing the code in production, it can be a really big security problem.
Always up-to-date applications: Regular software and system component updates are key. In the case of applications, it’s especially important not to ignore security updates of libraries and to properly set up the update of containers such as Docker or Podman.
2. Measures against external threats
Known WiFi only: When using public or unknown Wi-Fi networks, it’s critical to secure all data transmissions with encryption over VPN, SSH, or at least SSL and use two-factor authentication. Particular caution should be exercised with Android devices where delays in updating may occur.
Beware of Zero-Day vulnerabilities: A Zero-Day vulnerability represents a security hole in software that is unknown to the developers and is exploited by attackers before it can be repaired. These holes are particularly critical because no fixes or patches are yet available at the time of their publication. It’s therefore necessary to monitor the systems and apply repairs as soon as they become available.
Securing each input: Any input fields on the page must be programmed with utmost care to prevent the insertion of malicious code.
3. General advice for a happier night’s sleep
Caution when copying: Beware of copying scripts and commands from unverified sources. When using the keyboard shortcut Ctrl+V in the terminal window, the command is immediately executed, which can be treacherous, as malicious characters can sometimes be hidden in the code. It’s therefore important to always carefully check and understand the contents of the copied code to prevent potential security threats.
Verified access: When requesting a change of access to your project by e-mail, it’s necessary to verify whether the modification is actually requested by an authorized person. You can do this by phone or text message.
Stolen laptop = stolen data: Every portable device should be password protected and/or fingerprint protected. In the event of loss or theft, everything must be done to prevent anyone from accessing the data inside (blocking, remote deletion). And when that laptop is accidentally found after a few days, it’s worth letting it undergo a proper security check. Even if a hacker couldn’t access the data, they could install, for example, a program for capturing passwords or keyboard presses.
So what about you? Are you doing it right? 🙂