When most people think of Internet security, they think about web browser safety, app defenses, and personal account information protection.
In our world of digital product development and design, security begins in our offices, operating systems, and servers, and focuses on prevention as much as real-time protection against existing and evolving threats.
So, how do we ensure online sessions are safe, so the organizations, clients, or end users’ security and integrity are not jeopardized while using our digital products?
The solutions are multi-faceted, and require an experienced approach to ensuring no detail is overlooked during the design, development, testing, and analyzation phases.
Best Practices & Standards For Digital Product Security
When digital products are not safe for use, organizations are jeopardizing the privacy of every user, including the possibility of divulging personal information and sensitive company data.
Here’s what we know about non-secure websites:
- They have a higher risk of being hacked
- They are at a greater risk of ranking much lower than their competitors on search engine results pages
- They have an advanced risk of damaging their current and future SEO values
There are significant issues that can arise during a security breach, which can include decreased visibility, traffic loss, and even legal – and financial! – liability once the damage is measured. That’s why we have progressive protocols in place to ensure security is a priority.
To start, online security obligations begin with basic requirements, including:
- HTTPS & SSL Certificates
- Password Managers & Spam Controls
- Multifactor Authentication, or MFA
- Consistent Software & System Updates
- Directory & File Permissions
- Backup & Recovery Plans
HTTPS & SSL Certificates
HTTPS protects page authenticity on all types of websites, secures accounts, and keeps user communications, identities, and web browsing private.
The principal motivation for HTTPS is to authenticate the accessed website while protecting the privacy and integrity of the exchanged data.
SSL Certificates activate a virtual padlock with the HTTPS protocol, providing a secure connection from the server to the web browser.
Password Managers
According to the 2019 Verizon Data Breach Investigation, 81% of hacking-related breaches leverage either weak and/or stolen passwords.
The investigation further reported that while 91% of people know reusing passwords is poor practice, 59% reuse their passwords everywhere — at home and at work.
One of the best safety features available to counter this practice is password managers, which requires registered sign-in credentials to be entered before the software or operating system can be accessed.
Password managers require users to enter passwords that have a higher degree of difficulty, to decrease the risk of their account being compromised.
Those requirements can include the use of:
- Uppercase letters
- Numbers
- Special characters
- Mandatory number of characters to increase the length
- New password creation with each reset, so users cannot select the same password twice
As digital products evolve, so do password managers that allow users to maintain their online integrity.
Spam Controls
Spam controls are security checks designed to protect digital products from bots, so those who prove to be human can gain access to the information therein.
Adding CAPTCHA, ReCAPTCHA, or Mollom check requirements interrupts what would have been easier access without them, making entry harder, which takes longer and typically discourages the intruder.
So, why is it so important to prove “I am not a robot”?
- Decreases website and blogs from comment spam
- Reduces the abuse of automated programs where forms exist
- Lessens attacks where scripts and programs attempt random login credentials
- Blocks search engines from crawling spam contents that could harm databases and sensitive data safety
Multifactor Authentication, or MFA
Requiring secondary credentials for user access is more than smart, it is commonly expected by visitors who want to ensure their data is safe.
This security requirement can include one or more methods of authentication to verify the user’s identity, including:
- Phone number confirmation, delivering a security code via text message
- Email address, providing a link to verify secure entry
- Application, to verify the users’ download to a secured device
Consistent Software & System Updates
Behind weak passwords and employee error, software and system vulnerabilities are the second greatest source of some of the most impactful cyberattacks.
According to CSO Online, 77% of compromised attacks in 2017 were fileless, where existing system software was exploited without requiring the victim to execute a file.
At Stauffer, we closely monitor our client systems and code for security notifications and releases. As soon as a vulnerability is public knowledge, any system containing that vulnerability is exposed. Our team is on top of this at all times to ensure the integrity of the digital experiences we support.
Backup & Recovery Plans
All digital products require a backup plan that includes snapshots, database backups and code copies, so no matter what happens — or how the settings are compromised — they can be recovered quickly and effectively, so it is up and running again in no time.
What Are The Major Issues & Solutions That Go Beyond Basic Security Protocols?
When digital products are not designed or developed properly, security vulnerabilities can extend from petty nuisances to significant security risks.
Here are some of the most common issues, and how we counter them to deliver significantly safer products:
- Cross-Site Scripting, also called XSS or Injections
- Cross-Site Request Forgery
- Authentication Sessions
- Insecure Direct Object Reference
- Failing To Restrict URL Access
- Unvalidated Redirects and Forwards
- Security Misconfigurations
Cross-Site Scripting, also called XSS or Injections
Cross-Site Scripting is the insertion of malicious scripts into otherwise trusted websites. Also called XSS attacks, they occur when an attacker uses a web application to send malicious code — generally in the form of a browser side script — to a different end user.
Cross-Site Scripting attacks occur when:
- Data is inserted through user generated content without being validated for malicious matter
- Data enters through an untrusted source, most frequently a web request
The Fix
We use escape syntax for the part of the HTML document we’re putting untrusted data into. To avoid injections, we keep the product’s data separate from commands and queries.
By employing safe APIs, and potentially LIMIT SQL, mass data disclosures do not happen.
Cross-Site Request Forgery
Cross-Site Request Forgery, or CSRF, is also known as a one-click attack. It allows malicious access to a website where unauthorized commands are transmitted from a user the web application trusts.
This can occur without the user’s knowledge by transmitting commands through hidden forms, image tags, and JavaScript.
Unlike Cross-Site Scripting, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.
The Fix
The best solution for CSRF mitigation is two-fold:
- Enact user session management requirements, which means logging the user out after periods of inactivity, or limiting the length of time a user can be logged in without re-authenticating
- Implement a security token that requires users to provide a six-digit code, which randomly changes every 30-60 seconds
The website that the user is logging into would be made aware of that device’s serial number, computation, and time, to verify that the number given is one of the handfuls of six-digit numbers.
Authentication Sessions
Authentication and session issues are typically germane to the site itself, and the owner’s overall preferences based on their digital product and its end use.
For instance, financial institutions have session management requirements that limit the time of the session and automatically logs the user out, requiring the user to sign back in after a short period of inactivity.
Other authentication sessions can include:
- OAuth: Allows an end user’s account information to be used by third-party services, such as Facebook, Google, or other parties without exposing the user’s password
- Certificate Login: Requires the validity and confirmation of a digital signature, and whether the access has been issued by a trusted certificate authority (or not)
Secure Login: Utilizes a Secure Sockets Layer (SSL) to encrypt the username and password
Insecure Direct Object Reference
Insecure Direct Object References allows attackers to access resources — including system files or database records — by bypassing the authorization process directly within the system.
This commonly occurs when an app provides direct access to objects based on user-supplied input.
The Fix
We detect the flaws by testing each location where a user can supply input that points directly to reference objects and analyzes the code to determine if the user can bypass authorization and retrieve objects not intended for their use.
Failing To Restrict URL Access
Failing to restrict URL access can lead to an error in the access-control settings, which results in users being able to access pages that are designed to be hidden or restricted.
Security can be compromised using a technique called “forced browsing,” which can lead to sensitive data being exposed through a web browser by fraudulently requesting specific pages or data files.
The Fix
We provide a web-application design approach in which real keys or entity names are used to identify application-controlled resources with strong random values that can map to the original values.
This provides the correct validation of the user requesting the information.
Other options include:
- Locking URL access pages to check permissions
- Explicitly declaring a redirect to avoid the user’s input for the URL
If this cannot be avoided, we can create a whitelist for accepted redirects or let the user know they are being redirected from the site.
Unvalidated Redirects and Forwards
Unvalidated redirects and forwards grant unauthorized users the ability to craft a URL that will bypass the application’s access control check, then forwards them to the administrative functionality.
The Fix
We force all redirects to go through a page notifying users that they are leaving the trusted site. Before users can proceed, they must click link to confirm.
Security Misconfigurations
Security misconfigurations occur the intended safeguards leave vulnerabilities in a website or application. This can happen when a database or system developer or administrator has failed to properly configure the security framework.
The Fix
We log error information securely and make sure that our sites uptimes are monitored, so we can detect when sites are down for extended periods.
Logs and Monitoring
Logging generates a detailed set of events that occur within our applications.
Error monitoring tells us if our application is working.
The log monitors scan the log files and search for known text patterns and rules that indicate important events, and then relay the detected error by alerting another software or hardware system, or a person, so the security event is identified.
The Fix
We integrate logging with monitoring together to create a systematic and electronic effort to help sift through this data quicker, which solves user experience issues that may have been caused by a slow-working application.
How Can Stauffer Help Secure My Digital Products?
There is no such thing as a one-size-fits-all security approach for digital products. Different clients require diverse security solutions that fit their mission, their goals, and their end users’ overall privacy and compatibility needs — and we work tirelessly to ensure each unique aspect is covered thoroughly.
When it comes to digital products, security should be assured.
At Stauffer, we provide that certainty, so our campaigns move from concept to completion with confidence.
Contact us today to learn how our security-focused teams can produce solutions for you.
Photo by Markus Spiske on Unsplash
