Backend Security Best Practices. Ensure the Safety of Your Product!
Jun 22, 20215 min read
Co-founder at Ideamotive. Technological advisor and software consultant.
As back-end developers who create apps that collect, store, and process data we carry great responsibility before our clients and users, who trusted us with their information. We are obliged to keep data safe. Unfortunately, there are many perpetrators wanting to access the app’s database. Only in the USA, during 2020 a total of 1001 data breach cases were recorded which affected over 155 billion people. The price of external intrusion is high.
To establish backend security best practices it is worth learning more about hacker’s aims and tricks with further implementation of appropriate instruments and practices.
Why Do Hackers Hack?
While the motivation of about 20% of hackers is unknown, the aims of the other 80% of hostile actors are clear. They pursue financial benefit, protection of nation-state interests, or expression of political and social beliefs.
The most common reason why talented engineers turn to the dark side of programming is a grid. IBM’s Cost of Data Breach Report 2020 shows that half of all malicious actors desire to gain financial profit. Intruders may steal precious data, infect the computer with ransomware, or hijack it. Among different types of data (such as intellectual property or employee data) the most commonly exposed are customer’s personally identifiable information (PII) which shares 80% of data exposures. An average cost per record reaches $175 which strongly motivates hackers to attack databases. Those attacks mainly address compromised credentials, cloud misconfiguration, and vulnerability in the 3rd party software.
Although hacking is recognized by the majority of governments as a criminal activity, it is often practiced by the authority to hire hackers for ‘cyberwarfare’. Those military operations aim to compromise target organizations or individuals, acquire intelligence and industrial secrets, disrupt the functionality of the critical infrastructure, conduct disinformation campaigns. Nation-state actors are the most dangerous as they are well-financed and have the highest level of technical expertise.
Hacktivists are the other strongly motivated group of malicious actors. They misuse computer systems or networks to attract the public's attention to something believed to be valuable, such as freedom of information or human rights. Hacktivists usually grant unauthorized access to the website to display banners with political slogans. The other popular kind of malicious behavior is distributed denial-of-service (DDoS) attacks.
Although the number of cyberattacks happening every day is huge, all of them can be categorized into several groups. Open Web Application Security Project (OWASP) distinguishes the 10 types of most common security risks.
The most destructive hazard is the SQL injection attack (SQLi) - an insertion of SQL query via the input data field. Those assaults use different methods. Union-based SQLi abuses the UNION keyword to retrieve data from other tables within the database. Error-based SQLi forces the database to produce an error message which can provide information about database structure. Also, such information can be obtained by observing the server’s response time for certain SQL queries or by analyzing boolean request results. Fortunately, despite its danger, SQLi can be easily neutralized by experienced backend developers.
The second most common vulnerability perpetrators take advantage of is broken authentication. To gain unauthorized control over the database intruders can use compromised credentials, apply automated brute force or pick a password with the list of default combinations. Dictionary attack which tries only the most likely entrance keys are a popular tool as well.
Broken access rules which had to administrate users rights to read and modify database can be the other loophole exploited by hackers. To gain access outliers can modify the URL path (for example, http://website.domain/user/ tohttp://website.domain/admin) or manipulate the metadata by replaying or tampering with a JSON Web Token (JWT). Misconfiguration of Cross-Origin Resource Sharing (CORS) can be used as well.
Difficult to perform yet effective hacking tool is the exploitation of insecure deserialization by transferring custom-modified sequential streams of bytes to the server. Converting of reworked byte streams into objects may cause errors or even worse - lead to infection of a server with a virus.
Security Development Lifecycle (SDL)
Throughout the years the veteran project managers formulated a set of development concepts called to guarantee the safety of programming products. In their fullest form, those concepts were embodied by Microsoft and named Security Development Lifecycle (SDL). The main SDL principles are:
Clear definition of security requirements. Safety demands should be identified at the very beginning of the development cycle and tracked during the project’s progress. Factors to consider are the local legal privacy rules, internal coding practices, the experience of the past incidents, knowledge of the known threats.
Precise safety measuring metrics. The minimum level of security quality should be agreed upon with developers. The metrics could be:
meantime between failures
meantime to recovery
number of users with administrative access
days to patch
cost per incident
Be proactive and model possible threats. The model can be designed by your own development team or external consultants. Different methodologies like STRIDE, PASTA, CVSS, or hTMM can be applied.
Use strong cryptography standards. To achieve backend security best practices developer may implement standards as:
The range of available tools called to make software products safe and compilable with the backend best security practices is various. Among the effective ones are strong authentication policy, denial of access as a default setting, and input field and data isolation are.
Seal your data and input fields
As it was mentioned before, SQLi misuses the input field to insert malicious queries. To protect your database from such injection you should restrict the use of special symbols in the input fields. Also, those fields should contain only the entries determined type: date row should include only the date, number row should include only the numbers, etc.
The other effective way is to keep your data isolated. Only a certain amount of information should be accessible from a given location.
According to the above-mentioned IBM’s Cost of Data Breach Report 2020, each fifth customer’s personal information is stolen because of compromised credentials. User’s responsible attitude towards personal credentials can be encouraged be several app’s features:
mandatory strong password which should include long (at least 15 characters) combinations of lower-case, upper-case, and numbers
multi-factor authentication with additional verification via email, mobile phone, time-based one-time password, etc.
regular change of password every 60-90 days.
In addition, authentication can be protected by limiting the number of failed logins.
Restrict public access
A conventional practice among backend developers is to deny public access to the database by default. A server directory listing and backup files should be hidden as well. Also, black/whitelisting certain IPs is a good idea.
AI and Machine Learning
The recent advancement of machine learning allowed the implementation of AI in many new fields, including cybersecurity where it proved to be efficient in terms of reducing financial losses. According to IBM’s Cost of Data Breach Report 2020, deployment of AI, analytics and automated orchestration reduced an average total cost of a data breach by $3.58 billion.
There are several AI-driven programming products available on the market that can help you strengthen your security to comply with backend best security practices. The most popular are:
Windows Defender Advanced Threat Protection that automates threat investigation and response
LogRhythm platform for control over user and entity behavior analytics (UEBA) and network traffic and behavior analytics (NTBA)
Cybereason threat monitoring system
Splunk platform for user behavior analytics
Blackberry’s Clyace AI-powered antivirus product
Tessian email filtering system
The other way how AI can save a company’s money is automated fraud detection. For instance, Shift technology helps insurance agencies track dishonest behavior while SEON startup assists with the identification of fraudulent transactions.
The key security feature - authentication, can also be reinforced with AI-driven applications by real-time monitoring of anomalies in user’s authentication patterns.
Global statistics show that in the modern world cybercrimes are a highly profitable illegal activity. The possibility of fast enrichment motivates many talented programmers to turn to hacking which puts any company, regardless of its scale, at risk. The price of potential losses is high. A security breach will ruin a company’s reputation as well as cause financial damage. For this reason, establishing backend security best practices should be the product owner’s top priority from the very beginning of the development cycle.
Are you currently looking for software consultants to ensure the safety of your product? Or backend developers who will develop your digital product in accordance with top safety practices? Get in touch with us. We will provide you with the experts and tech talents you are looking for.