Security by Design
How to build a privacy first solution for the cloud
In the current environment of constant hacker attacks, phishing mails and viruses, such as Trojans or worms, the fear of data abuse, data loss and identity theft is ever increasing. In order to protect companies and individuals from cybercrime, new protection systems and methods like attribute-based encryption have been developed in recent years.
In fact the options are endless, yet significant security vulnerabilities have still been identified in companies. There are a number of examples where apps which initially heralded by the developers as “particularly secure” but then showed serious deficiencies in the server infrastructure and associated security shortly after launch.
Often this is due to conceptual weaknesses as well as an improper implementation of the end-to-end encryption. This illustrates that good IT security is not only a purely technical question since weak points and security gaps in the system often already arise during the conceptual design of the software architecture. Instead, good IT security means comprehensive consideration of security aspects in all phases of software development.
This approach is also called Security by Design. Security needs to be integrated from the beginning, not added afterwards. It is critical that a concept is designed with security in mind right from the start. Otherwise, companies face expensive retrofits or liability problems. Those are ultimately much more expensive and time-consuming.
In particular, security measures often require compromises regarding user experience. Only when these are considered from the onset they can be addressed with as little impact on UX as possible. If the UX suffers from the security, users will find (insecure) short cuts. The key is to have continuous interaction with the security, development and design team.
It therefore makes much more sense to develop with security in mind from the outset. Security starts with thinking about the problem, the design concept, the requirements and user stories, then there is the actual implementation. Finally, it is topped off with integration and penetration tests. In order to be able to adequately assess possible risks, several factors must always be considered and various weak points identified.
Where could the system be attacked? Who might want to attack the system and why? In order to address all these challenges, a multidisciplinary team with a variety of skill sets and competencies is required. Secure software also requires security-conscious people — managers, developers and testers. This collaborative-orientated team structure for solving problems and developing new ideas nowadays is also subsumed under the term Design Thinking.
An approach based on the assumption that problems can be solved quicker and more efficiently when people from different disciplines work together as a team rather than when they are forced to compete for attention and recognition with partners or colleagues. This cooperation entails significantly more common welfare-oriented or systematic responsibility than other working methods and has proven itself not only in the area of social innovation, but in all areas of society.
At neXenio we also pursue such an approach to product development. This is why we work together with young students, professors and experienced security auditors and security enthusiasts, including developers who are interested in politic and ethical discussions about data protection and cryptograms. We rely on a diverse way of thinking and working because we believe that you cannot develop good software on your own. In addition to design thinking, agile software development, code reviews, pair programming and static code analysis also play an important role in our work.
As a company we collaboratively defined “ethical guidelines” for all employees, which define a common understanding of ethical principles and advices. It states, for example, that the protection of users’ privacy is our primary goal. We also want to achieve this goal through transparency towards our users — through a security whitepaper and through education: We live maximum transparency when it comes to your data. You can see where and how your data is stored at any time. “Security by Obscurity” is not a solution for us, it is crucial for a secure cloud that users know where is their data and who has access to it.
Are you interested in using or creating safer software with us? We are always looking for customers, partners and motivated engineers. Get in touch at nexenio.com.
