Security by Design – let's keep you sharp
They’re the big bogeys of online. We’re talking about the faceless hackers ready to compromise your infrastructure and exploit either technical or human liabilities, of course.
Security is a hygiene parameter for any business of any size. You simply cannot afford not to pay attention.
Every device that is connected to the internet is a potential target for hackers and bad actors. Thus, keeping up with the latest software updates and security patches for an increasing amount of critical IT infrastructure and servers is a growing concern.
The best way to mitigate the threats of bad actors compromising your infrastructure is simply to not expose your infrastructure to the internet.
If your infrastructure and servers are not exposed on the internet, you radically reduce the risk of being targeted by hackers that exploit known vulnerabilities in your software.
Let Enterspeed shield you
Enterspeed subscribes to the Security by design approach.
Our decoupled architecture effectively shields your servers and backend systems from being exposed on the internet.
When you push your data to Enterspeed’s Ingest API, only the data that you actively choose to send to Enterspeed is made available on the internet. But even more importantly – all data is served from Enterspeed. Thus, not a single request ever touches your backend systems. Hackers can’t break into systems, that they can’t connect to.
So, how secure by Design are you, if you opt for Enterspeed – and use our Speed Layer as prescribed?
One of the most referenced overviews of website security risks is the OWASP Top 10. Enterspeed is of course not a silver bullet that will eliminate all security threats for your websites and web applications. In the following we will highlight the categories of the 2021 OWASP Top 10 that Enterspeed do help you cross off your security check list.
Injection attacks 💉
Injection attacks are relatively common and placed on the number 3 spot on the OWASP Top 10. Malicious actors can use injection attacks to gain unauthorized access to data or cause data corruption. Attacks happen when an attacker successfully inject specially crafted bits of code into the data, that the application processes. Every software engineer is trained in validating user input, before parsing it into the application and the underlying databases. But mistakes happen and many web applications are latently at risk.
Enterspeed is designed in a way that first and foremost shields your own applications from even getting any requests, so attackers won’t even try. Secondly, Enterspeed is designed in way that separates the writing of data from the reading of data. Therefor is the data you have in the Enterspeed Delivery API “read only” and cannot be tampered with by malicious actors. Thirdly, by design the Enterspeed Delivery API a small piece software with only a limited number of entry points for attackers. This allows us to carefully review and test the application code in all the potentially sensitive areas and very effectively limit the risk of injection attacks.
Insecure design 🛠️
The number 4 spot on the OWASP list is insecure design. It is a new category for 2021 and despite of it being very broad, it is not a catch all categories. When discussing this category, it is important to distinguish between design flaws and implementation flaws – a good design can be implemented wrong, but a perfect implementation cannot fix a bad design.
When describing a secure design, OWASP talks about culture, methodology, and the software development life cycle. With this lens there is no easy fix to a secure design. Instead, it’s about how you approach software engineering. On this broad point, we want to highlight a couple of practical principles in the context of Enterspeed.
Of course, this risk is a reiteration of the main point of this article: by decoupling your backend systems, you shield your backend applications from the scary internet. When designing with security in mind, an important principle is to only allow access to resources that need to be reached from the outside. We do not want to go into details on network design in this article, but only point out that the push model of Enterspeed is very well suited for integrations that has high requirements for network security.
Another important principle is using existing components. Developing software is in and of itself hard work, and security considerations is an unnegotiable requirement in today’s world. The more standard software and services that can be used, the less risks of creating an insecure design. We believe this is especially true in the realm of “last mile delivery”. This is where the software is most at risk for malicious activity, whether it is unauthorised access or denial of service attacks.
Vulnerable and Outdated Components 💾
Moving on to number 6 on the OWASP list: Vulnerable and Outdated Components. Running a website often has tens or hundreds of different components – some of these components are critical for security of a website. Just like your operating systems needs updates, so does the software that serves a website. For any organisation that operates even a few numberds of servers, it requires time and effort to keep these running with the latest security updates applied.
One of the benefits by utilising a SaaS service such as Enterspeed, is that you do not need to worry about the updating Enterspeed. Enterspeed is a 100 % management service, and it is our responsibility to update the components.
We can also let you in on a little secret… Under the hood, Enterspeed is also build on fully managed services. Nobody wants to spend their engineering budget on upgrading the underlying components. Well, we don’t –and neither should you.
20 years of experience with web technology and software engineering. Loves candy, cake, and coaching soccer.