8 min read

6 Essential Data Security Practices for Your Software Development Process

Phishing attacks, data leaks, ransomware infections… All of this can happen with any business that doesn’t pay enough attention to secure product development. To help you stay on the safe side, we compiled a list of the most common security risks to watch out for and 6 data security practices to adopt.
Written by
Jannis Rufatti
Published on
February 27, 2024
Read time
8 min read

In January 2023, the U.K. Royal Mail got hit by ransomware, forcing the company to stop sending letters and parcels overseas. Although initiated by a phishing attack, this incident could have been avoided if the company had implemented robust authentication measures across all its services. But instead, they had legacy systems in place – and there is nothing more vulnerable than legacy technology.

Today every organization, big and small, faces security challenges. To overcome these challenges, it’s not enough to teach your employees to be careful and avoid clicking on suspicious links. Security needs to be an integral element of your SDLC (Software Development Lifecycle).

In this article, we’ll talk about what secure SDLC is and offer 6 security best practices supported by examples from our experience.

What is the Secure Software Development Lifecycle (SSDLC)?

Secure Software Development Lifecycle is a systematic approach to integrating security into the software development process, often achieved by adopting a security-by-design practice. Rather than treating security as an add-on at later stages, development teams take a proactive approach and integrate security from the very start.

By identifying and mitigating security risks early in the development process, development teams can reduce the likelihood of security vulnerabilities and breaches in the final product.

At Modeso, we start our development process with security in mind, meaning we define security risks yet at the requirements stage to protect our clients’ data and avoid reputational risks. This is how we build software that is resilient and secure – as demonstrated in our recent projects.

Taking security risks into account is a must-have in software development. But what risks are we talking about?

The most common security risks to look out for

Insecure data storage, low-quality code, outdated infrastructure, and the list goes on. The way your software is built often determines whether it will suffer from vulnerabilities and let in threats. Here are the most common security risks we often come across in our work:

Legacy software

Outdated technology, lack of support, insecure code, compliance issues, and limited integration ‒ that’s what we call a classic legacy software system. So it doesn’t come as a surprise that it’s an easy target for security threats. The same can be said about software lacking regular maintenance ‒ such systems are also in danger of being attacked.

Poorly written code

When code lacks clarity, organization, and adherence to the best practices such as input validation, output encoding, error handling, and more, it becomes more prone to security vulnerabilities and flaws.

Insecure authentication and authorization mechanisms

Weak authentication practices, such as inadequate password policies or storing credentials improperly, open the path for hackers to gain unauthorized access to sensitive data or functionalities.

Vulnerable third-party services

If your software requires third-party integrations, it’s necessary to evaluate how secure these third parties are. Their flaws might serve as an entry point for attackers to gain access to your sensitive data.

Insecure storage

When data is stored insecurely, it becomes vulnerable to unauthorized access, manipulation, or theft by malicious actors. What’s more, it can lead to compliance violations resulting in severe penalties, fines, and legal consequences for an organization.

Core principles to secure your data

To mitigate security risks for our clients and safeguard their sensitive data, we set up a secure SDLC characterized by the following practices:

Practice 1: Follow OWASP standards

OWASP, or Open Web Application Security Project, is a non-profit foundation that provides free tools and documentation to build and maintain secure web applications. Its resources include OWASP API Security Top 10, a comprehensive guide that assists developers and organizations in prioritizing security measures and mitigating the most impactful security risks of application programming interfaces. Here’s the 2023 update of OWASP API Security Top 10:

API Security Top 10 2023
API1:2023 - Broken Object Level Authorization
API2:2023 - Broken Authentication
API3:2023 - Broken Object Property Level Authorization
API4:2023 - Unrestricted Resource Consumption
API5:2023 - Broken Function Level Authorization
API6:2023 - Unrestricted Access to Sensitive Business Flows
API7:2023 - Server Side Request Forgery
API8:2023 - Security Misconfiguration
API9:2023 - Improper Inventory Management
API10:2023 - Unsafe Consumption of APIs

For a better understanding, let’s look closer at one of the risks outlined ‒ Broken Authentication. OWASP provides a comprehensive overview of the vulnerability itself, including ways to prevent it, threat agents, security weaknesses, impacts, example attack scenarios, and more. By thoroughly examining the risk, developers can adopt proactive measures to mitigate its impact during the development process.

Now, let’s see how prioritizing security standards was put into action in our collaboration with Würth Financial Services, Switzerland's leading insurance broker, and TWINT, the most popular payment app in the country.

We joined the project to help develop Insurhub – an app that aggregates insurance products from various providers and offers them to private clients through the TWINT app.

Security was a top priority for Insurhub, given the sensitive nature of payment information and user data. To protect sensitive information, we used encryption and stringent access controls to ensure that unauthorized access is prevented, while our code changes underwent thorough review processes to maintain integrity.

Practice 2: Perform penetration tests for systems dealing with sensitive data

Penetration testing, or simply pen testing, involves simulating real-world cyberattacks on a computer system, network, or application to identify vulnerabilities and weaknesses. By testing the security measures implemented in the software, pen testing evaluates their effectiveness in mitigating cyber threats and protecting data assets.

Not every project requires penetration testing. It's more common in fintech and medtech where sensitive user data is at stake. Because penetration testing requires specialized expertise in place, we usually engage a reliable third-party partner to conduct it for our clients.

When working with TWINT on three other projects ‒ Digital Voucher, Super Deals, and Storefinder – our security measures included penetration tests. To identify potential security vulnerabilities, our partners conducted tests covering a range of aspects, including network configurations, application vulnerabilities, and user access controls.

Practice 3: Choose a secure integration strategy

To mitigate risks associated with connecting disparate systems, applications, or networks, it’s essential to choose a secure integration strategy. It ensures that sensitive data transferred between systems remains protected from unauthorized access or interception. Organizations can safeguard data integrity and confidentiality by implementing encryption, access controls, and secure communication protocols.

We always have contractual obligations with third-party systems or services we integrate with, so such integrations are unlikely to pose any threats. We also implement authentication mechanisms like token-based and permission-based authentication to protect valuable data and secure its transfer. To identify vulnerabilities in dependencies, we use Dependabot. It scans the default branch of the repository to detect insecure dependencies and sends alerts so that a package is updated to a secure version or replaced with a secure alternative.

While integration partners may not always pose a threat, there are situations where risks may come from the company's internal legacy systems. This is often the case in projects requiring the modernization of existing software while maintaining necessary integrations with legacy systems.

For example, in our collaboration with Albin Kistler, a prominent wealth manager in Switzerland, we needed to rebuild their custom-made database into a modern platform for investment portfolio analysis. The existing system relied on the outdated infrastructure which posed, among other things, security vulnerabilities. To eliminate security risks, we hosted the platform on a private cloud and implemented robust data validation measures when migrating data from the legacy system to the newly implemented solution.

Practice 4: Secure data storage

The data storage you choose plays a crucial role in safeguarding against data breaches and unauthorized access. Implementing secure data storage involves employing encryption techniques to protect data both at rest and in transit. Access controls and authentication mechanisms should be established to restrict unauthorized access to stored data. Regular data backups and disaster recovery plans should also be in place to mitigate the impact of potential data loss incidents.

Choosing reputable hosting providers with robust security measures and compliance certifications, such as AWS and GCP, can further enhance data protection efforts.

When considering where to host data, it's crucial to prioritize locations that offer added legal and regulatory protections. Typically, we opt for GCP and AWS as our cloud providers. Given that most of our clients are situated in Switzerland, we store their data in data centers located within the country.

Practice 5: Access control and permissions

Limiting access to critical assets means controlling who can reach sensitive data or important systems. Let’s say your system has three user roles ‒ an administrator, manager, and employee. An administrator has full access to all system resources, settings, and functionalities, while a manager can access solely system resources and data related to their department. An employee, in turn, has access only to essential tools, applications, and data required to perform their direct job responsibilities.

To confirm someone’s identity before letting them in, developers usually use methods like passwords, biometrics, or multi-factor authentication. This way, they keep valuable data safe and make sure it stays private and accessible only to those who should have it.

We implement permission-based access control on almost every project we work with. One example is our collaboration with Rietman & Partner, a Swiss auditor and tax consultant.

Here we needed to develop a custom system that streamlines the company's auditing procedures. The core functionality of the system revolves around a set of rules governing the audit workflow. To safeguard data privacy and integrity, we established access controls where different user roles, such as auditors and lead auditors, can be allocated specific permissions for visibility and editing privileges, ensuring users engage solely with data relevant to their responsibilities.

Practice 6: Automate security with DevSecOps

To ensure the continuous delivery of secure software, you can integrate security practices into your DevOps workflow. This practice is called DevSecOps, and it's a great way to automate security processes throughout your software development lifecycle. It allows you to identify and remediate security vulnerabilities more efficiently.

DevSecOps includes incorporating security checks and tests into the CI/CD pipeline, such as static code analysis, vulnerability scanning, and automated penetration testing. Automated security tools can enforce compliance with security policies and standards, ensuring that security is not overlooked during the development process.

By adopting DevSecOps practices, software development teams can proactively address security concerns while maintaining the agility and speed of the DevOps approach.

Develop secure software with Modeso

In conclusion, developing secure software requires a holistic approach that prioritizes security throughout the SDLC. By adhering to best practices and leveraging our expertise at Modeso, you can ensure that your software remains resilient and protected against evolving security threats. Contact us if you're interested in building scalable and secure custom applications in line with security best practices.

Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Header image

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. More information

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.