Doreen Mokoena, CEO of CyberSec Clinique delivered a thought provoking, illuminating, yet bespoke 4IR Marsterclass session on cyber proof solutions .
Evolved as it may be, technology revolution doesn’t automatically come with built in cyber security system or measures.
Security hacking is widespread, even some of the well-known, blue-chip companies have fallen victim to website security breaches, despite their sophisticated and high-tech technology systems in place. Hackers are keeping ahead of the curve and are constantly sharpening their skills with the latest trends in technology.
In addition, the speed at which the industrial revolution is evolving may leave some companies vulnerable due to system upgrade delays. A lot could be learned from what happened to Transnet, celebrities and most of our banking service providers. Such incidents could be avoided with proper implementation of secure coding standards and best practices, especially for start-ups.
Most companies and individuals develop online solutions without having security in mind which can be detrimental to the organisation in the long run. From inception of the solution, one should think about how client’s information will be protected. Hackers target vulnerabilities.
There are five ways involved in common weakness enumeration (CME) which includes improper limitation of a pathname to a restricted directory, unrestricted upload of file with dangerous type and improper input validation. This is when one creates a document to be loaded to the system, they should make it a PDF to disallow other users to access it. The other two are neutralization of input during webpage generation as well as exposure of sensitive information to an unauthorized user. Hence, not everyone should have rights to system access. It is disadvantageous to build a website that can allow everyone access to authorize.
In applying secure coding standards that are compliant, there are three standards that needs to be used. The first one is IEC 62443, it’s a set of security code used to defend the industrial networks against cybersecurity threats. It’s followed by PA-DSS standard which applies to the development of payment application software. Lastly, it is the CVE standard which provides a list of cybersecurity vulnerabilities and exposures found in a specific software product.
Of importance to note, even with the above standards set in place, you will never know how vulnerable your solution/website is until you run the test. There are also top coding practices that needs to be followed to assist with risk mitigation. You need to validate input, adhere to the principle of least privilege and sanitize (permanently delete) data sent to other systems. Practice defence in depth by exploiting the code to test the system. Always store the design and security coding standards from architectural staff. Adopt a secure coding standard where you model threats in order for you to identify possible threats of your developed site.
Thou shall be compliant by default. Some people may not know this, but South Africa has an existing law that protects millions of people from having their personal information misused or stolen online. South Africa has about condition of such laws, but most important ones are POPIA Act, Electronic Communications and Transact Act as well as Cybercrimes Bill. It is critical to have privacy policy or cookies for your website.
Another key element to remember is to get a scope from the developer of your platform and clarify who owns the code, given that it’s your intellectual property. You should also get a legal representative involved before the system gets deployed and have non-disclosure documents signed. Have plans in place as well as a holding statement that will inform client, should your business encounter cyber hacking. Also Inform policy and risk departments for a seamless risk management process.
In conclusion, the developer needs to have a strong understanding of how to apply secure coding standards and the use of top coding practices. Investing in a higher quality code will yield better site security in a long run.