Developments in the field of cybercrime show we should protect ourselves. In Germany alone, the number of victims of hacker attacks in 2019 was 17.7 million cases, and the financial damage was 100 billion euros. Today, two years later, there are no official figures yet, but the situation is likely to remain serious.
So it’s not just caution that’s needed, but precaution. It is no longer enough to establish secure connections and install antivirus software. Nor does data encryption alone provide sufficient protection. Rather, IT security today must be thought of holistically – as a declared goal and integral component of every single software project – from the very beginning, along the entire software life cycle.
Reputation and success
After all, IT security has a direct impact on a company’s reputation. If you know how to protect your systems, you also protect their users: employees, partners and customers. If you “lose” their data, you also lose their trust in your own digital competence.
To be fair: There is no such thing as absolute certainty or ultimate security. We can all become the target of such attacks. What there is, however, is the responsibility to set high security standards and to make the success of cyberattacks as unlikely as possible or to reduce their damage to a minimum.
We at Micromata stand for a holistic security approach – from A as in requirements analysis to Z as in a future-proof security concept. The repeated certification by the German Association of the Automotive Industry (VDA) confirms us in this course:
TISAX
The VDA’s TISAX certificate is based on a binding catalog of criteria developed on the basis of the industry standard ISO/IEC 27001.
industry standard. TISAX certification is preceded by an inspection by a test center accredited for this purpose by the European Network Exchange Association, the association of European automotive manufacturers, suppliers and associations. In addition to the security of the tools and technologies used, the infrastructure and hardware used as well as the operational processes, the ability to act in the event of an attack and the behavior of the employees (security compliance/policy, security training, etc.) are also tested.
What we do to ensure TISAX’s high security standards in projects for other industries is briefly outlined below.
Best Practices
Of all security vulnerabilities, SQL injections are considered the most common and dangerous, but NoSQL injections, CSRF, and brute force attacks are also real threats to web applications on the web. To counter these, we harden our infrastructure using proven best practices tailored for each scenario. In addition to the standards of the respective customers, the recommendations of the OWASP, which are global leaders in the identification and elimination of security vulnerabilities, also play a role.
Pentesting
We cannot emphasize enough how important professional pentesting is. Depending on the customer’s business case, this can be tailored quite individually. Our know-how ranges from the implementation of a valid test environment to classic black and white box analyses or analyses of the software code to practical recommendations for action to quickly close security gaps. Whether the tests are automated or performed manually depends on the respective order and can be mixed. In any case, the security of web applications is significantly increased by careful pentesting.
Safety by Design
Good user design can also demonstrably contribute to data security in web applications – especially with regard to authentication. For all the responsibility of the individual for secure behavior on the Internet, it is certainly a good customer orientation not to leave the users completely to their own devices. After all, experience shows that it is a long way from understanding the need for secure routines to putting them into practice – if this is done at all. Here are a few examples of what web providers can do to ensure the security of their clientele – at least as long as the password age lasts. Whether and to what extent we implement this depends on the wishes of the respective customer, but it is always possible:
- Saving passwords as hashes is a matter of course today1
- Integrate password generator into registration form2
- Automatically check passwords for leaks each time you log in3
- Avoid single sign-on as a matter of principle4
- Make multi-factor identification a binding standard5
- Ask sensible security questions or replace them with trustworthy factors6
- Replace automated e-mails with secure alternatives7
The good news is that the password age is coming to an end. We are already testing ways to do without them in the future. There are already promising solutions such as the WebAuthn API as part of the FIDO2 specifications. You will be hearing more about this from us in the future.
1 This way they are better protected from leaks.
2 If the use is voluntary, it will remain a rarity.
3 for example with the help of databases based on haveibeenpwned.de. If there is a leak, then automated feedback to the affected person(s).
4 Even though the options “Log in with Google or Facebook” are attractive for the provider and convenient for the user, the latter gives away the master key for multiple accounts.
5 ZFA has still not gained widespread acceptance.
6 The name of the pet or the date of birth, for example, are far too easy to guess in doxing attacks.
7 Fake and contaminated e-mails are the main gateways for phishing and the like. If you want to be on the safe side, do without them.
IT Security Team
The IT security team of Micromata should be known to most of our readers: They make sure that we always keep our finger on the pulse of security technology developments. To this end, they not only constantly monitor the development of the security situation in the network with the help of the relevant OWASP publications, but also select suitable tools for the prevention and closure of security gaps, conduct training courses for customers and employees and take care of certifications in this area.
Security Champions
To support the IT security team in its work, since 2019 there have been so-called security champions in each project team who anchor our security expertise even more efficiently in the teams – be it specific approaches to programming, testing and selecting concrete technologies, or advising our customers on the matter. As they are directly involved in the projects, they can also identify potential incidents more quickly and further significantly reduce response times.
IT Security Meetup Kassel
The IT Security Meetup Kassel is a network of experts and interested parties on the topic of IT security. Everyone is invited who deals with IT security issues professionally or out of personal interest and wants to enter into a professional exchange with like-minded people. Since its foundation, the ITSMKS has developed into an institution with international speakers and audience, from whose lively know-how transfer also our customers benefit. Micromata co-founded the ITSMKS in 2016 and has been its host ever since.
Conclusion
Investing in software security means investing in customer trust. As a digitization partner with many years of expertise in the field of IT security, we recommend a trilogy consisting of 1. the safety and security of all hardware and software components used, 2. the support of users with sensible default settings, for example in authentication, and 3. the constant monitoring of the danger situation in the network, including the creation of corresponding awareness and behavior in one’s own company. We would be happy to advise you!
Recommendation: An overview of our measures for your IT security.
