Best Practices for Application Security - IT Business Edge

Best Practices for Application Security - IT Business Edge
What Is End-to-End Encryption? - MUO - MakeUseOf
Switched to Telegram? You need to know this about its encryption - Wired.co.uk

Posted: 24 Feb 2021 09:13 AM PST

As cybercrime rises, application security has become a buzzword in the software development industry. TikTok, a popular social media app, got publicly slammed in late 2020 after users discovered that it had more aggressive permissions than most apps and might be unlawfully collecting sensitive data, like passwords and credit card information.

Most application and software developers want to keep their users safe, but how? This best practices guide can help you ensure your application is secure before you send it off to market.

Application security best practices

It takes a lot of work to ensure applications are secure before they hit the market, but keeping your consumers safe is worth it. Following these best practices will help you improve your application security.

Authentication and authorization

Log-in screens protect the information stored in the application from public access. Even if someone gains access to a device, they'll still have to know the right credentials to gain admittance to the application itself. Set up password rules to make sure your users are choosing passwords that will be difficult to guess. Many tools require passwords to be at least eight characters (although longer is better) and include a mix of uppercase and lowercase letters, symbols, and numbers.

Along with authorization, you might consider adding multifactor authentication, also called two-factor authentication, to your app. With multifactor authentication, users will log in with their credentials and then get a code delivered to either their phone or email to confirm their identity. You should also think about automatically logging out the user after a certain period of inactivity.

Encryption

If your application is going to be used to transfer data between devices, the application should be able to encrypt data while it's in transit. For sensitive information, the data should also be encrypted when it's not currently in use. Use well-known encryption algorithms, rather than trying to create your own.

The Advanced Encryption Standard (AES) refers to the algorithm that many organizations, including the U.S. government, trust as the standard for encryption security. There are forms in 128-bit, 192-bit, and 256-bit. Any of these would most likely provide the right amount of security for your application.

Data logging

Not all the data you gather in your application should be logged, but you should at least keep track of where the application is accessed from. If the system detects a strange login, it should send an automated email or SMS text message to the user, allowing them to take action if it wasn't them. This should help minimize any damage an attacker might do because the user can shut off access quickly.

Testing

Before your application hits the market, you should have tested it repeatedly. Penetration testing uses both tools and manual techniques in an attempt to exploit gaps in the software's security. Once the tester has gained access, they can steal data or cause disruptions in the same way an actual attacker would.

Along with penetration testing, you should employ static application security testing (SAST) and dynamic application security testing (DAST) to find security vulnerabilities in the code. The SAST method employs a tool to automatically scan the code, but it can result in a lot of false positives. DAST is a more manual approach and can be used to further examine the gaps SAST illuminated.

Cloud app security considerations

Because users access cloud applications through the web, you have to take into account browser security and compatibility for your app. Add a secure sockets layer (SSL) certificate to your website to encrypt data and keep attackers from accessing it.

Some of the most common threats cloud applications face are incorrect application setup, attackers stealing user credentials, and insecure application programming interfaces (API). Cloud application security platforms (CASP) and proxy cloud access security brokers (CASB) can both be used to secure cloud applications. They provide an extra layer of security for cloud applications and enforce any security measures to make sure hackers aren't gaining entry by force.

Also read: Top CASB Security Vendors for 2021

On-premises app security considerations

In-office employees can access on-premises applications through a business network, while remote employees may use a virtual private network (VPN). Because of this, attackers must get more creative in their attempts because they can't simply access the application through the public internet.

For on-premises applications, you might want to add different layers of access depending on who will be accessing the data. C-level executives might get administrator access, while individual contributors may simply get user access. Incorporating least-privileged access protocols helps ensure only authorized users are accessing the most sensitive data.

Also read: Understanding the Zero Trust Approach to Network Security

Application security standards

There are a variety of organizations that set standards for application security, including ISO, ANSI, FIPS, and CISQ. These standards differ by industry and location where the software will be used. Many application security tools have these standards built into them, so the program knows what to look for when it's crawling your application. Make sure your app adheres to the standards set by the appropriate organization.

Securing your app for market

Securing your application for market is no easy task, but it's worth it to keep your users' data safe. Follow the best practices we've laid out and test your app mercilessly before releasing it to the public. Consider how users will access your app both on-premises and in the cloud. Employ application security tools to help, and double-check the applicable standards to ensure your application meets them. Building a secure application is the best way to ensure your customers are safe, satisfied, and keep coming back to you.

Generate the CSS stylesheets for border radius, fonts, transforms, backgrounds, box and text shadows with the online CSS code generators.

What Is End-to-End Encryption? - MUO - MakeUseOf

Posted: 22 Feb 2021 11:00 AM PST

[unable to retrieve full-text content]What Is End-to-End Encryption? MUO - MakeUseOf

Switched to Telegram? You need to know this about its encryption - Wired.co.uk

Posted: 27 Jan 2021 12:00 AM PST

WhatsApp may have paused its plan to change its privacy policy but that delay hasn't stopped other messaging apps taking advantage of the confusing situation it created. Millions of people have ditched WhatsApp in favour of its rivals – Signal and Telegram being the two major benefactors. Not all messaging apps are equal, though.

According to Pavel Durov, the founder of the Dubai-based Telegram, the app added 25 million new users in a period of just 72 hours at the start of the year. This helped it surge past 500 million registered users for the first time.

"We may be witnessing the largest digital migration in human history," he wrote in a message to more than 20,000 people on Telegram. Billed as a pro-privacy app, Telegram has helped protesters and pro-democracy activists while also hosting terrorists and sexual abuse content.

It remains to be seen whether people stay away from WhatsApp for good, but there are some fundamental differences between how Telegram and WhatsApp operate – particularly around the levels of protection they place on messages by default.

Both WhatsApp and Signal use end-to-end encryption – meaning nobody but the sender and receiver can see message content – on all their chats and calls by default. Telegram doesn't. It only offers end-to-end encryption in a couple of places: Secret Chats, plus voice and video calls.

Since WhatsApp turned on end-to-end encryption by default for more than a billion people in 2016, there's been an increase in the use of the technology to protect people's privacy. End-to-end encryption is becoming the norm on messaging services. Facebook is currently in the process of changing its infrastructure so all chats on Instagram and Facebook Messenger use end-to-end encryption and Zoom made it available on video calls following a privacy backlash in October 2020. If you recently made the switch to Telegram, here's what you need to know about its encryption.

How do Telegram chats operate?

To understand why Telegram isn't end-to-end encrypted by default, you need to look at how the app works. Within Telegram there are a few different types of messaging options. These can involve thousands of people at once and are different from the one-to-one chats and group conversations that are primarily used by its rivals.

A core part of Telegram are its "one-to-many" broadcast channels. In channels, which can be public or private and have an unlimited number of members, administrators send out messages to everyone that has subscribed. Everyone can see the messages and the channel essentially acts as a feed of posts from administrators (comments can be turned on but they're largely used for broadcasting messages). Bloomberg's official channel (with more than 84,000 subscribers) pushes out the latest news, while an unofficial xkcd channel posts comics straight after they're published.

Telegram also has group chats, which can have a maximum of 200,000 members and largely work in the same way as group chats on other messaging platforms. Chats between individuals are, of course, also possible and the app features video calls and group voice conversations as well. (Voice calls and video calls are end-to-end encrypted by default, the company says). But it's only messaging within Secret Chats where end-to-end encryption is available.

So what does Telegram's encryption look like?

Telegram says it uses two types of encryption for content sent on its platform: cloud-based and end-to-end. Groups, channels, and one-to-one chats use its 'cloud' encryption while only Secret Chats between two individuals use end-to-end encryption.

Telegram's cloud setup means that the company is able to show and sync your messages across desktop and smartphone apps in real time. This also means that the messages you send are stored on its servers – the company says messages in cloud chats are "theoretically" accessible.

"Cloud Chat data is stored in multiple data centres around the globe that are controlled by different legal entities spread across different jurisdictions," the company says in its encryption guide. It adds that it has "disclosed 0 bytes of user data to third parties, including governments" and that multiple legal requests would be needed for it to hand over data. This hasn't stopped law enforcement finding ways to eavesdrop though. And in August 2019, Telegram moved to fix an issue that could allow people to be identified through messages sent during protests in Hong Kong.

Telegram says UK users and people in the European Economic Area have their data stored in the Netherlands. It rents data centre space but owns the servers and networks inside the data centres – it says "local Telegram engineers or physical intruders cannot get access" to encrypted data on these systems.

But, overall, this 'cloud' encryption isn't as privacy-protecting as end-to-end encryption. Within end-to-end encryption the process of making messages secret and decrypting them happens between individual users. It is client-client encryption, whereas cloud chats are client-server/server-client encryption. Analysis has confirmed this technical setup.

Telegram does offer some limited end-to-end encryption for chats between two people. They're called Secret Chats. These only work on one of your devices – if you start a Secret Chat on your phone it is only available there, it's not stored in the cloud.

To turn on a Secret Chat you need to start a new message (even if you have previously messaged a contact in a non-encrypted way). When starting a message, Secret Chat needs to be selected and the person you are messaging has to be online. In a list of conversations, those that are end-to-end encrypted show a padlock symbol. The Secret Chat function also stops messages being forwarded and has options for self-destructing messages.

Does it make sense?

So why doesn't Telegram use end-to-end encryption by default? Durov has argued it's because Telegram is a "feature-rich" app. "Signal represents one feature of Telegram, which is Secret Chats," Durov wrote on Telegram when questioned about why the app didn't use end-to-end encryption by default. "If you think you need a separate app for that feature only [end-to-end encryption], installing it might make sense for you."

Durov also believes most people want more features rather than the greater levels of privacy end-to-end encryption offers. "The minority which doesn't want any of that and wants to maximise security at the expense of usability is welcome to use Secret Chats on Telegram – or install any of the apps that only have Secret Chats and nothing on top," he wrote. He added he wouldn't "cripple" Telegram by making it end-to-end encrypted by default and removing other features such as channels.

This mix of different chat types might not be that easy to understand. Researchers at University College London asked a small group of people (just 22 in total; half had used the app before) to test Telegram's chat features and then explain how its encryption worked. They found that "rather than promoting choice" the different options available "have the potential to create confusion for users". They evaluated people's responses and the overall setup against seven privacy-by-design principles, including the principle that apps should use the most secure option be default. Telegram did not respond to a request for comment.

"Many participants believed that both modes offered the same security properties, except for the self-destruct timer which was regarded as the most visible feature of the Secret Chat mode (and as such an indicator of that mode's level of security)," the UCL researchers wrote. "Having two clearly distinct chat modes, and more so, the less secure mode as the default, can lead to confusion and error."

Updated 28.01.21, 13:00 GMT: This article has been updated to clarify Telegram has end-to-end encrypted calls and video calls by default.

Matt Burgess is WIRED's deputy digital editor. He tweets from @mattburgess1

Search This Blog

Android Full Encryption