Anything network connected could potentially be exposed to the Internet and we all know it is a war zone out there - at the speed of light.
If you ask anyone building a computer system of any sort if they care about security they will of course say yes. But if a solutions is secure or not is not really a yes or no question. If the one you ask take security seriously, you would not get a straight yes answer, you would get a pained look in return and a long answer of how they really work with security in everything they do, how they constantly try to improve, think a step ahead and try to minimize attack vectors, encrypt everything, not store anything sensitive, watch what hash algorithms have been breached lately and similar statements.
At Humly we have worked with security from the ground up, from the hardware design perspective, the operating system level up through the application layer. Even at the operating system level we compile only the bare minimum of what is needed to run the application, everything else is removed to minimize the attack vectors.
Security is hard, it is an IT profession in itself. To make sure we are the best on the market in this area we have a long standing collaboration with the Swedish security firm, Truesec. They are at the bleeding edge of the field.
Truesec audits our solutions doing a so-called white-box penetration test, meaning that they have access to all our source code so they can spot any vulnerabilities much easier. They run both automated attacks, automated source code scanning for vulnerabilities and audits architecture.
At the start of the collaboration we even had two developers from Truesec working in our development team to educate and spread the security philosophy to everyone.
It is easy to become complacent in security. Maybe you’ve had several contractors building the solution, one for hardware, another to do the OS layer, one for user interface and yet another for databases and backend. Maybe junior developers that think they’ve thought of everything. You could have contractors afraid to admit security mistakes, parts of open source code that did not age well.
All of that is solved with an external audit, someone paid to find any mistakes - not hide them.
One big customer actually decided to hire their own security firm to do penetration tests and handed us the report. We could see they had really struggled to find something and those comments they had we knew about and had decided not to change it as it was a negligible threat and would take away features from the end user.
Security is hard, everyone should do their homework like we do!
Pro tips for your overall security strategies:
- Take outside help, home grown security can be good, but good doesn’t cut it against today's threats.
- Have security in mind from the ground up. From design of hardware all the way to the software layer and your internal processes.
- Make sure everyone understands what we’re aiming for and what is expected of them.
- Continuously improve security. Encourage and lift up good examples, foster a good security culture.
- Keep an eye on what is happening on the threat horizon. Sometimes there are paradigm shifts that require rapid action.