Many people ask why good UX is crucial to their business when they do not…
Data security is an essential theme for any project. When it comes to international projects, the challenge of maintaining good security practices is doubled as we deal with greater distance from servers.
The risks include not only hacking, but social engineering as a whole. Even the people involved in the project and employees of the company can act in a malicious way, risking the entire reputation of brands and, above all, the safety of users.
To illustrate how it is possible to implement good security practices in international projects, we brought the technical case of the client located in the United States. DB1, based in Brazil, has been serving this client since 2020. Get to know this story!
The problems of using distant VMs
At the beginning of the project, the customer made virtual machines (VM) available through the Amazon WorkSpaces service for the DB1 developer team to work remotely. Amazon WorkSpaces is a fully managed, persistent desktop virtualization service that allows remote users to access the data, applications, and resources they need.
Amazon WorkSpaces is deployed on an Amazon Virtual Private Network (VPC), which in this case was the same VPC used by the customer. This raised several problems and risks, mainly in terms of end-points.
We had latency issues when working because the VMs stay on Amazon’s American server. We tried using a Brazilian VM. This was a slight improvement, but we needed to use the VPN to connect to the client’s VPC, which ended up causing productivity problems as well.
Another issue is that this process did not pay off in terms of security. The use of VMs does not prevent a person with bad intentions from stealing information, since it is enough to access and take prints of the data.
The solution: VPN directly in the cloud and tokens for authentication
The DB1 team had a meeting with this client and suggested the replacement of VDI’s use by direct VPN in the Amazon cloud. When services are centralized within the same cloud, we can create protection barriers and raise the issue of data security and protection.
In addition to VPN protection, we have implemented better authorization frameworks with the use of JWT format tokens. This was intended to address an issue with APIs, which did not have authentications, that were previously built for the client. The risk of this failure is that anyone with access to the API would be able to access the end-point and query information from the client consultants. With JWT token authentications, we were able to limit this access only to those who are authorized.
Usually, companies have several services that fuel their mobile and browser systems in different ways. It is important that these various services are centralized on one gateway. Today, we are able to put security mechanisms directly into the gateway instead of replicating security for each end-point.
All other services beyond the gateway are private and protected by the VPC, with no external access.
Thus, we build security against:
● DDOS attacks: with the use of the gateway, we can control multiple DDOS attacks on a single service;
● SQL Injection: this is an old practice of malicious people to manipulate data in general, including deleting the entire database. DB1 works with high-level tools such as .NET, Java, and Go Lang that natively bring security against this type of attack;
● Cross-site Scripting (XSS): in this type of attack, someone can download your website and change the code by injecting client-side scripts. With the use of a VPN and JWT token, we do not have any loopholes that would allow this to happen. We use restrictive CORS policies to prevent this type of attack.
Security is a constant: How are we protecting ourselves in the long run?
In addition to the above-mentioned implementations which we are starting with in the project, we are also engaged in the constant validation of libraries. On the front-end, we use widespread libraries in the market to speed it up and avoid rework. The risk of libraries is to use them without the security criterion. Here at DB1, we run validations to find the libraries updated with new secure versions. We will update the client’s front-end libraries, revisiting them periodically. With these constant updates, we avoid attack gaps. We also use tools for front-end vulnerability scans to prevent attacks.
Another DB1 practice that aims at constant security of all projects is a security testing process that includes the simulation of attacks. On our team, we have professional security experts who run test attacks on projects to check for threats and possible vulnerabilities. In this way, we can anticipate risks and apply effective protective measures.
Security testing has an enormous importance for applications as it ensures that sensitive data remains confidential. In this type of test, the expert plays the role of the various types of attackers (hackers, crackers, ethical hackers, and script kiddies) to find bugs related to the security of the system. When it comes to social engineering, security testing is a must to protect data.
“New security tools arise in the market all the time, and with them, new forms of attacks as well. Unfortunately, there is no silver bullet to protect a system 100%, so here at DB1 we treat security as culture, always looking for new ways to protect our customers data.”- Jaime Yule Jacobson, developer and technical leader at DB1 Global Software.