In the last 18 months, we are seeing more and more security breaches and even giants like Yahoo, Facebook, Target are not spared. Yahoo declared 2 security breaches to public, including the biggest known data breach in history. Major US retailer Target announced a massive breach of its point-of-sale terminals in early December of last year. In November of last year, hackers stole passwords and usernames for almost two million accounts across several social networks such as Facebook, Gmail, YouTube etc.
If 2016 has taught us anything, it’s the damage software security can cause to the company. And it’s not just the reputation of the company that suffers, Last year alone, the experts measured several billions of dollars because of security breaches to data and software.
While simple methods such as changing the password regularly, or using two factor authentications or encryption can help to scrutinize security. It is often not enough to defend the threats which are getting much stronger than known preventative measures.
One possible solution could be found at the development stage of the software application. Hackers look for development and test environments, which are not often in the organisations strongest layer of security. In several cases test data, has been shared with disparate or even outsourced teams, making the sensitive information vulnerable. The following are the list of neutralising actions which are suitable especially to those who outsource software development to their technical consultants.
Data protection during development, testing and roll-out.
1. No production data should be used for testing, if there is a need to use production data then it should be scrubbed or masked.
2. Deploy data virtualisation with scrubbed or masked data so the data provided to the team are consistent data snapshots, reducing the overall footprints of the production data.
3. Have comprehensive set of protocols and validation procedures while accessing / updating production data during testing or rollout.
4. Direct access to data should be restricted to handful of trusted individuals and accessible via only multi-factor authentication.
5. Development and testing should always be done on server which are isolated from internet.
6. These servers should never connect to production environment servers or desktops.
7. Web applications, website data, code files and scripts should always be on separate partition or drive from that of database, OS or system files.
8. When necessary use audit trial for test activities with risk assessment report. This should be regularly monitored by risk mitigation experts in the organisation. This should be form of regulatory compliance and control, as it would provide valuable information while back tracking any incidents.
9. If development teams are geographically separated from production, then organisation must exercise even greater control and caution while transferring data between the teams. A combination of remote access, encryption and authentications can help to overcome majority of threats.
While these are only few starting points on this topic, organisations must accept responsibility for comprehensive end-to-end security across delivery pipeline. In case of outsourcing, the IT consultant should adhere and help in creating secured environment to protect valuable customer data. Choosing the right consultant can sometimes be the best first step towards safer data practices.
Business Analyst - Snr Software Consultant.