#1 Test inputs Rigorously
If your software takes input from the user, someone will try to sneak something past you. The solution is to test the size and structure of the incoming data and never, ever trust your users. A test, system, or procedure that is rigorous is very thorough and strict. The selection process is based on rigorous tests of competence and experience. If someone is rigorous in the way that they do something, they are very careful and thorough.
#2 Use Encryption More Often
Encryption is often underused because if adds yer another step to the machinery and makes debugging that much harder. It can be difficult enough to find errors in a system. It’s even tougher when the data is an inscrutable pile of numbers. Some are used to encrypt messages, some are used to encrypt other keys, and others are used to authenticate messages or users. Most often, encryption is used in the design of secure systems as a way to reduce the amount of information that needs protection by other means.
#3 Use Internal APIs
Breaking your code into modules and enforcing communication through well-designed APIs id an old important lesson. It’s even more valuable for security because APIs can make it simpler to audit interactions. find holes, and fix problems. An API layer designed for developer consumption decouples consumption from the underlying complexity of systems of record, providing access controls and an audit trail for all system access.
#4 Limit Privileges
A good principle is to give code and people the smallest amount of privilege needed to get the job done. If this turns into a management headache generating too many requests for extra privileges, it may make sense to rethink the architecture for the data. However, these accounts should not be used on a regular, daily basis. Therefore, some form of action should be taken to limit the use. The obvious choice is to restrict which users know the passwords for these accounts.
For the Active Directory related Administrator accounts, it is a good idea to have a process for applying the password where no one user knows the entire password. This can easily be done by having two different administrators input a portion of the password, then documenting that portion. If the account ever needs to be used, both documented portions of the password can be obtained.
#5 Build Multiple Walls
Security often completes the demand for ease of use. people the logging into different parts of the system, but it can be dangerous to link everything to one portal. The easier you make it for legitimate users, the easier you make it for attackers.
#6 Just Store What You Need
Information costs time to process, takes up disk space, and makes an attractive target for information thieves. Try to ask users for information that you’re really going to need through your software’s lifecycle.
#7 Keep Apprised of the Latest Threats
Following the industry trends is absolutely essential. Understanding what happened in the pad is a good way to begin planning for the future. Ransomware became a huge issue in 2016, and its influence has been felt in just about every area of life. Outside of individual people, it will also help to stay on top of reports put out by reputable companies.
Verizon’s 2016 Data Breach Investigations Report has some good insights, and McAfee’s 2017 Threats Predictions can help you prepare for the new year. Both individuals and entire businesses have fallen victim to this malware that encrypts the user’s data and forces them to pay money to get it back. Many in the industry are predicting ransomware attacks will continue to get bigger in scale, with the most recent example being the attack on the San Francisco Municipal Transportation Agency that affected 2,112, according to The Register.