Software Development Security Best Practices: MobiDev’s Approach
As software development security is always among the top priorities for product owners, we’ll share how we at MobiDev protect customer products from threats, ensuring a secure software development process.
Rules that MobiDev Follows to Provide Secure Software Development
The efforts of MobiDev project teams are focused on ensuring the security of software products at all stages of their development. Our experts constantly study common threats and apply proven practices of secure software development to protect client apps.
We ensure reliable security of the company’s IT infrastructure and each project, acting under our Information Security Policy and its appendix, Information Security Overview. MobiDev staff undergoes complete training in information security and confidentiality policies and procedures.
MobiDev provides software security based on the following:
- Setting security goals and priorities for each product
- Adherence to the MobiDev security policy, including the security of servers, databases, data of mobile and web apps, and cloud storage
- Identifying data security risks as early as possible
- Security risk assessment
- Continuous improvement of internal rules for secure software development
- Availability and application of software security threat response plans
- Training and continuous improvement of staff regarding security in software development
- Implementation of the latest software development security best practices and conventional industry standards
Our software security approach includes two levels: Basic and Advanced.
The Basic level of security is mandatory for all projects of the company. The Advanced level is used as necessary, based on the specifics of the domain and requirements for increased security of the software product.
This approach is flexible and allows us to meet the customer’s needs as much as possible. We perfectly understand the situations in which the product owners find themselves.
After all, projects can have strict budget and time constraints, and priorities can change at different stages of the work. Therefore, we ensure compliance with the requirements of customers who seek to obtain an Advanced level of protection for their product. At the same time, we understand the willingness of product owners to limit themselves to basic app security requirements for some time and to implement additional features for its protection in subsequent releases. It should also be noted that each development technology has its own security best practices.
We also understand that our enterprise clients have internal security standards that are followed in all projects without exception. In such cases, we enrich the security levels we have adopted by the customer’s requests.
Let’s focus on just a few main points that will give you an idea of the company’s software security strategy.
1. Secure Software Development Lifecycle (SSDLC)
We have integrated security into all stages of development by transforming our Software Develop Life Cycle (SDLC) into a Secure SDLC. Of course, each stage has its priority from the point of view of security. When working with requirements, we pay attention to risk assessment. The stage of creating an architectural solution is the right moment for threat modeling and architectural security review. The project’s technical leader checks the compliance of architecture with security requirements, and the company`s CTO may review it in case of need.
During development, it is correct to perform static security testing. The software testing stage includes security testing. When deploying, we make sure that the security configuration of the app is correct.
There are security checkpoints within the project milestones: this is organized by the regular code review by the technical lead and on-demand audits. In security reviews, our technical leaders present the results of checks according to checklists, list the identified issues, indicate the methods and priority of their fixing, describe existing business risks due to such issues and their possible consequences, etc. Thus, security reviews contain all the necessary information to restore software protection.
The CI/CD (Continuous Integration and Continuous Delivery) we use helps us prioritize security in every phase of the software development lifecycle. By setting up CI/CD, we avoid failures due to human factors. In software development projects with an advanced security level, CI/CD is used, as they say, by default.
Our in-house DevOps engineers configure and run CI/CD. By seeing the big picture of the project, including its infrastructure, such specialists play an important role in identifying and neutralizing threats using DevSecOps methods.
We use CI/CD whenever there is an app update. By running the code through automated testing and deploying it automatically, we can ensure that there are no installation issues that could pose a security risk. Also, our CI/CD deployment process may include scanning source code for code style violations and third-party libraries for security issues.
Also, our CI/CD deployment process may include scanning source code for code style violations and third-party libraries for security issues.
We keep all sensitive credentials required for running the web app in the secure storage of the CI/CD. To ensure stable updates and a stable, secure environment, we stop the deployment if there is any failure in the CI/CD process.
Typically, we use unit tests, covering all critical product functionality, and running them in CI/CD pipelines. Module testing of Core logic and running with a CI/CD pipeline prevent the appearance of critical defects in the release.
2. Authentication And Access Control
We are steadfast in our daily adherence to proven rules, such as:
- OTP (One Time Password) for logging in and performing actions with confidential data
- Mandatory MFA for all Advanced Security Level projects
- Use of biometric authentication wherever possible and agreed to by the customer. We have skilled in-house AI engineers who can provide effective multi-modal biometric authentication
- The Pass-code was and still is the main and indispensable attribute. Also, we willingly use the combination of Pass-code with Face ID/Touch ID.
- Constant monitoring of access to infrastructure, and compliance with server/environment access policy.
- Verification of automatic notification mechanisms for unauthorized access attempts
3. Data Security
Here are some rules that help us protect data:
- Secure information transfer both in internal networks and with external entities.
- Proper and effective use of cryptography to protect the confidentiality, authenticity, and integrity of information and systems.
- Execution of requests using the HTTPS protocol and monitoring the validity of certificates. HTTP usage is not allowed.
- Proper storage of sensitive data (passwords, keys, certificates, tokens, etc.), i.e. only in secure storage in encrypted form. Using only secure hashing algorithms.
- Exclusion of the possibility of issuing confidential information through a web server (e.g. nginx, Apache).
- Monitoring of regular backups according to established procedures. Also here we check the availability and relevance of disaster recovery plans for all critical data and systems.
4. Third-Party Services Security
We only use official sources and reject the use of outdated versions of libraries. We update the libraries and frameworks we use. This not only increases security, but also simplifies further product support. That is why we always make sure that only the latest stable versions of third-party services are used in software development projects.
Sometimes, legacy software modernization needs a more flexible approach. We are ready for this and in such cases, we make appropriate decisions for the interests of the customer.
5. API Security
We avoid dangerous API connections. All private API requests are performed exclusively with an authorization key and according to the user’s access level. We do not allow exceptions in such matters. Proper authorization mechanisms and correct access settings are one of the elements of software protection.
6. Secure Coding Practices
MobiDev has created internal secure coding guidelines for each programming language it uses. During onboarding, new company developers study these guidelines and practice secure coding methods. Secure coding guidelines are always available in the company’s collaborative tool. MobiDev tech leaders monitor the fulfillment and adherence to the guidelines by project team members.
The regular code reviews and comprehensive security testing we carry out are also part of our Secure Coding Practices.
7. Secure Deployment and Maintenance
During the deployment and maintenance of the product, the effect of those security measures, which were used at all previous stages of development, is manifested. In order not to lose the achieved app security level, we constantly provide the following:
- Secure Configuration Management
- Secure Server Environment
- Continuous Monitoring and Auditing
- Regular Updates and Patching
- Secure Backup and Recovery
- Incident Response Planning
- Security Awareness and Training
- Third-Party Integration Security
The most reliable approach for secure software development is to take care of security all the time, at all stages of projects, and in all, even the smallest, details. The security of your app is based not only on the skillful actions of engineers but also on the maturity of the processes and policies of the software development company. We have developed and implemented software product security checklists that our project teams use on an ongoing basis. For us, security is a continuous process that we constantly review, update, and improve to adapt to new threats and changes in software and infrastructure without loss.
Platform-specific Secure Software Development
The security practices we use depend to a large extent on the technologies and platforms chosen. For example, web and mobile projects may require different approaches.
Mobile application development security best practices
In building mobile apps, we follow our software security strategy while taking into account the specifics of this development area. In particular, our mobile developers aim to prevent security vulnerabilities related to API connections, data storage, use of open-source code, user authentication, or the possibility of reverse engineering by attackers.
We based on the recommendations of the providers of the iOS and Android mobile operating systems and mobile application development security best practices when compiling security checklists and response plans of project teams.
In the security system when creating mobile apps, our company, among other things, adheres to the following:
- Widespread use of passwords and their responsible handling
- Careful attitude towards issuing access permissions
- Use of biometric identification systems like Face ID / Touch ID based on stored tokens/credentials instead of insecure direct login
- Storage of sensitive information using secure technologies offered by mobile operating systems, such as Keychain in iOS Mobile or, for example, Android Keystore System for storing encryption keys
- Adherence to additional security measures when running a mobile app with a web app together
- Using p2p cryptography from native or proven libraries to transfer especially important information
- Use only secure connections, including refusing to use HTTP
- Encryption to protect important information in files
- Detect jailbroken iOS devices and rooted Android devices to prevent mobile apps from running on them
- Avoid using binary libraries, especially from dubious sources
- Use of development tools, libraries, and plugins only from official sources to avoid XcodeGhost and other similar risks
- Protection with the help of created permissions of the data exported during the interaction of several apps
You may also need a Mobile Device Management solution (MDM) to deal with security and monitoring of corporate mobile devices. MobiDev has experience in the development of enterprise secure communication systems via mobile devices. Such a system connects devices that have a custom operating system for encrypted communication and data storage. For this system, in particular, we also created two Secure Apps, Chat and Email, to exchange information in an end-to-end encrypted form.
Ensuring proper security is one of the main challenges when creating enterprise Mobile Device Management (MDM) systems. Users work through enterprise mobile devices with business-valued data. Thus, we prevent threats to enterprise databases by securing the mobile device. Our engineers take a comprehensive approach to solving such issues. We build a completely protected MDM system by applying advanced user verification, end-to-end encryption, secure connections, and more. Due to the lack of gaps, this system guarantees the security of the corporate network of mobile devices.
MobiDev pays proper attention to security in all its projects. We combine the use of capabilities of mobile operating systems with our own custom developments. Adherence to mobile application development security best practices at all stages of projects allows us to protect client products reliably.
Read also:Secure Communication For Enterprises
Web Application Security Best Practices
Web apps, operating in an open and inherently barrier-free Internet, are in a zone of increased danger for both malicious attacks and accidental damage. Perhaps it is precisely because of the
increased demand for reliable protection of apps and data that today the Web is the area of software development that has generally accepted standards and compilations of best practices
for secure development. This accelerates the achievement of mutual understanding between developers and customers, allowing them to rely not only on one’s own but also on generalized
experience, and to start a dialogue about security in software development not from scratch but starting from a publicly available knowledge base.
At the very least, most of our tech-savvy readers are aware of OWASP. The Open Web Application Security Project takes care of web application security by creating and regularly updating relevant standards, methodological materials, and even technologies. The OWASP Top Ten is, without exaggeration, the bestseller of secure software development. All the most critical risks currently faced by web app owners are collected here.
MobiDev specialists use web application security best practices distributed by OWASP in their projects, supplementing them with their own. There is no point in listing everything that is included in our arsenal of secure software development web resources here, as it would take up too much space. At the same time, it will be helpful to get acquainted with some of our considerations regarding the use of certain methods and technologies.
The following, in particular, contribute to the security of web apps:
- Improvement of the reliability of such classical security measures as authentication and access control. After all, a person’s health also largely depends on compliance with basic hygiene principles. Responsible attitude to passwords, multi-factor and multiple authentication, compliance with the principle of least privilege (POLP) for users, use of SSL and encryption, monitoring of accounts, and user behavior are all components of our security practices in software development. We always advise our clients to follow our example in this regard.
- Due attention to exception management. Our developers create only secure scripts for each user operation. All possible errors are foreseen, and their handling will be carried out with meaningful exceptions. As a result, potential attackers will not receive valuable information and opportunities for exploiting edge cases to cause unexpected behavior.
- Secure management of containers created using Docker. We have adopted the appropriate security guidelines, which are also helpful for our customers. Here we are talking, in particular, about Network segmentation, refusing to grant root access and excluding the use of “privileged container” in Kubernetes, and use of the secrets mechanism in Docker and Kubernetes for storing sensitive data, etc.
- Using both main approaches, static and dynamic security testing, in such a way that they complement each other.
- Meticulous analysis and filtering of results during Static Application Security Testing (SAST). For this, in particular, we use the SonarQube static analysis tool, integrating it with the CI/CD pipeline. With SonarQube, we check not only the security, but also the maintainability and reliability of the code base.
- Applying both manual and automated Dynamic Application Security Testing (DAST) to identify vulnerabilities in deployed or running code. We use the open-source security scanner OwaspZap to speed up regression testing. Automating routine tasks allows our specialists to focus on the implementation of web application security best practices.
- Conducting penetration testing, even though it is more complicated than static and dynamic security testing. Penetration testing, which combines the work of experts and the use of dynamic scanning tools, allows for an increase in the efficiency of identifying risks. Our experience confirms the efficiency of periodic full-scale penetration testing by a certified ethical hacker.
- Using extended detection and response (XDR) solutions because with them in place, it is possible to get a complete picture of the state of software security based on data from all layers of the security stack, including both the app itself and networks, clouds, and endpoints. We integrate XDR with security tools to automate real-time threat response.
- Preventing security misconfiguration. For this, our specialists regularly update the used software frameworks, libraries, and plugins to their latest stable versions, scan software packages for vulnerabilities, protect valuable files and directories, and use secure communication and network protocols.
Our team regularly upgrades approaches, technologies, and tools for security in software development. To do this, we constantly monitor changes in web development, where new technological possibilities are often accompanied by the emergence of additional risks, which can be seen in the examples of open-source code, APIs, and containers.
Advanced Secure Software Development for Security-sensitive Domains
Some domains have their own specific security and compliance requirements, like fintech or healthcare. We have prior experience with projects in which we took additional security measures for specific domains, delving into their features. Let’s take a look at some of these areas.
Security practices in healthcare software development
The well-known HIPAA (The Health Insurance Portability and Accountability Act), aims to guarantee the privacy and security of data in the healthcare sector. All organizations operating in this area in the United States are required to comply with HIPAA regulations regarding the storage, processing, and use of confidential patient data.
When implementing projects in the field of healthcare, for the sake of compliance with HIPAA, we focus on the following points:
- TRANSPORT ENCRYPTION. Care should be taken to encrypt any ePHI (Electronic Protected Health Information) before sending it. At the basic level, data protection is done using SSL and HTTPS protocols. The need for transport encryption must be considered in the healthcare organization’s interaction with the cloud provider so that it allows secure SSL configuration for secure encryption. Properly configuring HTTPS and verifying that TLS versions are valid and secure are also essential.
- BACKUP AND STORAGE ENCRYPTION. We are talking not only about creating and securely storing backup copies of confidential PHI but also about ensuring that only authorized personnel have access to it. The point of special attention is the servers of shared use, for example, of the hosting provider. Data must remain encrypted and inaccessible, even if the servers are somehow compromised. Also, we only use industry-approved encryption of information.
- IDENTITY AND ACCESS MANAGEMENT. The issue of ensuring that only authorized users are allowed access to confidential data can be implemented in several ways. According to software security best practices in healthcare app development, both two-factor authentication (2FA) and single sign-on (SSO) can be used. The level of expertise of our project teams allows us to implement multimodal biometric authentication that is reliable through the uniqueness of a human fingerprint, face, or voice.
- INTEGRITY. The protection of software in healthcare should be comprehensive and not have gaps in any aspect. The efforts of our specialists are aimed at ensuring that the developed system is capable of immediately detecting and reporting any attempt at unauthorized data interference.
- DISPOSAL. The final disposal of data and encryption-decryption tools that the customer stops using is also a component of security in software development for healthcare.
Software Development Security in FinTech
FinTech security is always in dire need of secure software development best practices. Let’s recall the sensitive points of software products for this sector.
Every financial institution follows internal Know Your Client (KYC) rules. Customer Identification Program (CIP) is a mandatory element of the KYC procedure. There is a wide range of ways to perform CIP. For example, a video call may be sufficient to verify the client in manual mode. By involving our in-house AI engineers in the project, our developers can also provide automated verification of the client’s identity through facial recognition and document text recognition.
The financial sphere is distinguished by a significant number of international and national legislative norms, as well as standards that regulate it.
We will list at least a few of the main ones:
- General Data Protection Regulation (GDPR), which, in particular, provides for users’ consent to access their data.
- KYC/AML for preventing money fraud and terrorist financing
- PSD2, which, among other requirements for financial services providers, obliges banks to provide open APIs for third-party access
- PCI/DSS is the standard that applies to software that processes credit card data.
Often, compliance with certain rules requires a set of security measures in software development. As an example, one can cite, in particular, compliance with anti-money laundering (AML) norms, which requires verification of not only users, but also accounts and transactions, as well as detection of suspicious transactions.
Ultimately, our top advice to clients planning software development in security-sensitive domains is to clearly understand the requirements of all relevant regulations. For example, in the United States, when planning to launch your app, you need to consider not only the federal laws but also the laws of individual states. For instance, the California Consumer Privacy Act (CCPA) is appropriate to consider for all apps with users in the Golden State.
In practice, there have been cases when clients, preparing to market an app in a security-sensitive domain, underwent a security audit procedure conducted by specialized agencies. We assist such customers in ensuring compliance with industry standards and legislative norms, including by implementing the recommendations of external auditors.
Build Your Secure Software Solution With MobiDev
MobiDev has integrated security into all development stages, achieving confidence in the following:
- The staff, as well as the processes and technologies they use, are well-prepared for secure software development.
- All software systems are protected against unauthorized access and interference.
- Project teams develop and release software solutions with a minimum security vulnerability.
- The company`s engineers identify vulnerabilities and promptly implement response plans. Specialists eliminate identified software security vulnerabilities and prevent their appearance in the next releases.
Ensuring security in software development is a continuous process. That is why our company has developed its security checklists, according to which project teams constantly monitor the implementation of all necessary security measures at each stage of product creation. We regularly update these checklists and relevant instructions in line with software development security best practices. In-house DevOps specialists take care of the comprehensiveness of security in software development projects.
It is necessary to act in advance to provide secure software development. We detect threats in a timely manner and effectively counter them, relying on MobiDev’s proven security policy. Engage our experts for secure development of your product.