Tag Archives: Highly secure software development

Biometric authentication methods vs passwords – stay up to date

We have already written and also made practical recommendations here on how to establish secure third-party software development. Today, we want to dwell on one rapidly developing aspect of security, and not only in software development but also in your business – this is biometric access to data, information, equipment, work-space. Companies are paying more and more attention to risk management, therefore, to ensure a higher level of security, in an increasing number of systems are used cost-effective biometric readers, crowding out access card readers and keyboards for entering passwords. This affected the willingness of hard and software manufacturers to develop the industry and technology. The use of biometric technologies is not just fast authentication, but also the main security tool.

For example, Microsoft employees authenticate using biometric data and at the same time, British banks use fingerprints to authorize purchases. Biometric identification is optimal not only as the choice of reliable protection for enterprises, employees and consumers but also reliably protects itself from failures and break-ins, always leaving the security of personal data in the first place.

Biometric access control and management systems allow people to be recognized by their physical individual characteristics. Thus, the quality of control and security of the system is significantly increased, the risk of unauthorized entry and fraud of the system is reduced.

Biometric Identification Methods

There are static, based on the identification of the physiological characteristics of a person being with him throughout his life:

  • by fingerprint or palm
  • facial features
  • by the eye retina 
  • according to the pattern of veins
  • by hand geometry
  • by DNA.

And there are dynamic methods take as a basis the identification of the behavioral characteristics of people, namely, subconscious movements in the process of repeating any everyday action:

  • by voice
  • by handwriting
  • by keyboard handwriting
  • by a walk.

For example, one of the priority types of behavioral biometrics used in safe development is the keyboard style of typing. When determining it, the printing speed, pressure on the keys, the duration of pressing the key, the time intervals between presses are fixed. A separate biometric factor is a manner in which the mouse is used. In addition, behavioral biometrics cover a large number of factors that are not related to the computer – for example gait, especially the way a person gets upstairs. There are also combined identification systems using several biometric characteristics that can satisfy the most stringent requirements for the reliability and security of access control systems.

What is the basis of biometric security?

Using biometrics for authentication will work when passwords will be excluded from the authentication process. This is the main step towards access control without a password. If the system still has a password in the background, then there remains the risk of data hacking.

The company will only be able to experience the benefits of passwordless authentication if biometrics are used for security and not for convenience. When an organization removes passwords from the authentication process, the task of creating a password, entering a combination, and resetting is eliminated. When recognizing a person without a password, the only authentication method is to use a combination of biometric data.

The main parameters for evaluating any biometric system are:

FAR (False Acceptance Rate) – false pass coefficient, i.e. the percentage of situations when the system allows access to a user who is not registered in the system.

FRR (False Rejection Rate) – false failure rate, i.e. denial of access to the real user of the system.

Both characteristics are obtained by calculation based on the methods of mathematical statistics. The lower these indicators, the more accurate the recognition of the object.

Why are passwords not strong?

As long as passwords exist, hackers will not stop developing new methods of personal data capturing. There are many ways to steal a password and break into the security system. With a biometric image, everything is different – it cannot be directly entered into the reader. To deceive technology based on an image or a fingerprint, an attacker must make a good cast, and not the fact that he will be able to deceive the technology.

It is worth mentioning that biometric authentication systems are additionally protected from fraud. For example, “liveness detection” technology recognizes an alive user, during identification, a person needs to blink or move his fingers. Thus, the person proves that authentication occurs in real time. The percentage of similarity with the biometric control template is determined. If the algorithm does not recognize the person, the so-called “anomaly module” is included in the work, which analyzes the causes of the non-compliance and sends a notification to the security service in the event of a fraud threat. This approach allows you to block fraudsters within a few seconds.

Biometry in terms of quarantine

A few months ago, special attention was paid to contactless authentication only at facilities with high sanitary and hygienic requirements (medicine, food industry, research institutes, and laboratories). In the context of quarantine, it became obvious that the share of contactless authentication will grow quite quickly. This method provides many advantages of using biometric methods in physical security systems. In addition, the ability to identify a remote object speeds up the verification process, which is important for high-flow systems. Particularly effective methods that capture the biometric characteristics of the object at a great distance and during movement. For example, the future is in contactless hoop prints. With the proliferation of megapixel surveillance cameras, the implementation of this principle of operation is becoming easier.

Biometric authentication benefits

High accuracy of identification of the person undergoing control.

The difficulty of falsifying biometric features.

A high degree of reliability, since the biometric identifier cannot be forgotten as a password, lost as a plastic card, or use someone else’s data or a pass.

Ample opportunities for automating processes, and, as a result, reducing costs, for example, for security, administration, maintaining file cabinets and databases, for issuing, replacing, “flashing” access cards, passes, forms, cards, etc.

 

Thus, the use of a biometric access control system allows you to not only manage and control access to the object and data, increase its safety and security, keep accurate records of working hours, but also automate many processes of the organization and optimize costs.

Secured software development. A step-by-step guide.

Should I give development to a remote team? Today everyone felt how difficult it is to put together an in-house development team. And not always an in-house team is a possible way out. There are plenty of situations when connecting a remote, ready for rapid start team is a necessity. Organizing the proper and completely safe development on your own side requires significant financial investments in technical equipment and in-depth study of the subject and when you are on deadlines for the implementation of new modules, this is ultimately not an option at all.

If we are talking about the development by a third-party contractor – outsource. How to verify his decency and competence? Can a contractor provide complete security? Is it possible to ensure the necessary level of security by working with a remote team? What must be spelled out in the contract? And what will it take to sleep soundly? 

Let’s sift all the factors through. And you will be sure about your actions. What we recommend doing to ensure safe development and how processes should be configured. We divided all basic security measures within the contractor’s company into organizational and purely technical.

 

Organizational security measures.

Staff recruitment. In the case of data or equipment theft, unauthorized information access or interference in the system there is the risk to the profit lost and financial losses. In addition, there is a chance to lose key employees and teamwork. Without them, it is difficult to survive the crisis, restore the image and positive dynamics of enterprise development and revenue growth. Thus, the person, developer, manager is the main factor. We advise you carefully to select team members, empower the security department to collect feedback from previous jobs and customer reviews.

NDA (non-disclosure agreement) – an agreement with the customer. This is not about a common NDA. In projects with high data security requirements, it is necessary to sign an agreement with each team worker who has production data access. This applies to non-disclosure, confidentiality, and liability of all involved parties.

Organization of workspace access. When it comes to ensuring the business and employees’ safety, an access control system is the most effective way to prevent unauthorized entry, restrict some employees’ entrance to prohibited areas and control the access of the whole team. We strongly recommend organizing automated access control to the territory and to the internal premises of the office for employees and visitors taking into account the assigned access rights. An important element of security is the global re-entry control, which allows you to stop the pass usage after it is transferred to unauthorized persons or as a result of an abduction.

Regulated access to personal computers. Reliable identity recognition is critical if you need to control the users’ access rights to certain information in order to prevent its damage or loss. In our practice, we have come to the use of computers with biometric authorization. Using biometric readers, we can see who and when used this or that computer, entered the server or other room. Face recognition authorization prevents illegal access to a working computer, even if access codes have been stolen. Another point concerning the main biometric characteristics that allow identification is the analysis of keyboard handwriting. The system collects information about each employee: analyzes the speed of keystrokes, pauses between keystrokes and hold time. It creates an individual portrait. If a third party uses an access code, for example, another employee or an attacker, the system will be able to respond to an unauthorized attempt to enter by notifying a security specialist or denying data access.

Monitoring and each user activity analysis within the network using special systems. First of all, this system determines the possible risks: which employee works with valuable information, what applications he uses, whom he communicates to. Thanks to the algorithm’s actions, it is possible to predict the potential risk of the company if the employee is unreliable and also to predict risks and find potential “holes” in the information security system. Вehavior that deviates from the individual norm is a signal about a violation of the security perimeter.

Video surveillance is an essential part of a modern security system. Companies want more and more to protect themselves from unwanted intrusions and attacks. Video surveillance is an information system that provides visual information that allows you to either restore the picture of an incident or get the necessary data about events, processes, and people. The job profile directs whom, how and under what circumstances it is possible to report personal data (custom credentials) for corporate networks connecting. Instruction is an integral aspect of high-quality and reliable development.

Passing specialized courses and owning certificates for software development. Teamwork experience in accordance with standards: SEC, FINRA, SOC 2, ISO / IEC and others. Choosing the contractor company, be sure to ask: what certificates does the team have to speed up the creation of safe development processes.

 

Technical security measures.

Distributed data access rights. An obligatory component of development security is access rights (permissions/restrictions) for working with databases. They are necessarily distributed by assigning predefined roles to users and groups. The impossibility of copying and making changes to the data is ensured. There is also developers’ restriction of access to the test environment and to version management.

Securing your local infrastructure. The local infrastructure allows you to quickly test and debug features. When developers produce new features, they can access production data through an intermediate unit using a secure VPN connection. We also recommend that you configure secure VPN access for external (trusted) services and servers. Staging boxing is not a universal solution in testing, as the process becomes too complicated. Sometimes you may need to deploy a local test environment. Keep in mind that to eliminate internal threats of data corruption, it is worth recording all actions. It is also advisable to limit the transfer of data outside the company network and storage on an external media.

Encryption. All stored on computers and laptops data must be so encrypted that even in the event of theft they cannot be used. It is necessary to provide data encryption protocols, encryption of the transfer protocol of integration buses, and so on.

Architectural solutions, architectural protection – personalization and posting information are separated. For example, in medicine, this may be the storage of personal information about the patient separately from the history of his illness.

Production Data should be denominated so that it is impossible to trace the data owners.

Code-based security. According to statistics, most sites and software are vulnerable due to errors in the code. The code can be checked with a third-party company, but this is an additional cost. The ideal option is the implementation of safe development tools on the contractor’s side. Requirements for code verification and safe development should be included in technical requirements. For example, it should include: conducting static code analysis at the development stage and code acceptance within the SDLC. Dynamic analysis (DAST-analysis, Dynamic Application Security Testing) of developed applications. Conducting an analysis to search for the so-called zero-day vulnerabilities, whose signatures and patterns are unknown. While transferring the finished software, should be prepared a report for the analysis of its security. On the developer’s side should be the analyzer adapted for embedding into the development environment, thereby providing the ability to check the code for vulnerabilities at each stage of the software life cycle. It’s enough for the client to have the same analyzer as the developer, but already in a lighter desktop version that just checks the final result (ready-made application).

What is worth noting? This is not a complete list of steps that can be taken to organize safe software development. We will be very happy to tell you more. If you have any questions remaining unresolved, please ask us and let’s share experiences and improve development security.