Software prototyping within a cybersecurity framework
Risk-free software definition: reducing the cyber-threat to computer and system security through prototyping
Reducing the risk of cyber–attacks on our computer systems and programs should be a top priority for any software provider. Machine-to-machine attacks, ghostware and jailbreaking incite a level of fear in software experts because of the unanticipated threat they pose to users, both on a business and personal level.
Insights into cyber security are so important when designing and developing software systems. Being aware of potential information security vulnerabilities and how you can avoid them will help your team foster the principles of secure software design.
In our post, we explore how software prototyping can help teams design software in a secure environment. Read on for our set of secure prototyping guidelines and start promoting a risk-free approach to software definition.
Build up your network security architecture by integrating authentication into your prototype
Authentication is the process of determining user identity to prevent an ‘attacker’ from gaining access to your computer network security or computer system without permission. When designing a mechanism to authenticate users, you’ll want to decide where authentication is necessary and how you’ll validate the users trying to sign in.
Many web applications use passwords and/or pins to authenticate users. They’re simple to use and easy to deploy. Before getting started with this mechanism, consider how you’ll request, display and store credentials, as well as how you’ll prevent returning users from changing their identity without re-authentication after the initial logon.
With a prototype, you can design a log in form that permits users to access information only if they have provided the correct username and password. An error message feeds back to the user whether or not their request has been accepted.
To make it even more difficult for attackers to crack passwords, you can simulate a password strength meter in your prototype with input text fields and conditions. This ensures that users are only able to sign in with a strong password.
Make sign in doubly secure with an authorization step
It is extremely important to assess a user’s identity prior to giving them access to a system or allowing them to perform a task within your software system. However, knowing a user’s identity isn’t always enough to allow them to perform high-level actions. This is where authorization comes into play in security architecture.
Authorization is the process of determining what the authenticated user has permission to do and the resources that they can access within your system. It helps to protect actions such as file system access and network socket operations, and actions tied to the operating system, language, or framework. It’s an important step in preventing information being disclosed to the wrong people and data being tampered with, and should be conducted as an explicit check after an initial authentication has been completed.
When incorporating authorization logic in your design, the main rule is that all authorization decisions must take place at server side, not client side. When prototyping your design, you can create role-based access control, which will allow you to grant specific permissions for each user in relation to your prototype and create separate administration privileges.
Additionally, by integrating your prototyping tool with your LDAP, you’ll have more control over users, permissions, roles and access levels. Install the collaboration server behind your firewall and create host restrictions to restrict server-to-server communication and discourage unwanted third-parties.