Technical case – the differential of good security practices in international projects

Data security is an essential theme for any project. When it comes to international projects, the challenge of maintaining reasonable security practices is doubled as we deal with greater distances from servers.

The risks include not only hacking but social engineering as a whole. Even the people involved in the project and employees of the company can act maliciously, risking the entire reputation of brands and, above all, the safety of users.

To illustrate how it is possible to implement reasonable security practices in international projects, we brought the technical case of the client located in the United States. DB1, based in Brazil, has been serving this client since 2020. Get to know this story!

The problems of using distant VMs

At the beginning of the project, the customer made virtual machines (VM) available through the Amazon WorkSpaces service for the DB1 developer team to work remotely. Amazon WorkSpaces is a fully managed, persistent desktop virtualization service that allows remote users to access the data, applications and resources they need.

Amazon WorkSpaces is deployed on an Amazon Virtual Private Network (VPC), which in this case was the same VPC used by the customer. This raised several problems and risks, mainly in terms of end-points.

We had latency issues when working because the VMs stayed on Amazon’s American server. We tried using a Brazilian VM. This was a slight improvement, but we needed to use the VPN to connect to the client’s VPC, which ended up causing productivity problems as well.

Another issue is that this process did not pay off in terms of security. VMs do not prevent a person with bad intentions from stealing information since it is enough to access and take prints of the data.

The solution: VPN directly in the cloud and tokens for authentication

The DB1 team had a meeting with this client and suggested replacing VDI’s use by direct VPN in the Amazon cloud. When services are centralized within the same cloud, we can create protection barriers and raise the issue of data security and protection.

In addition to VPN protection, we have implemented better authorization frameworks using JWT format tokens. This was intended to address an issue with APIs, which did not have authentications previously built for the client. The risk of this failure is that anyone with access to the API would be able to access the end-point and query information from the client consultants. With JWT token authentications, we could limit this access only to authorized users.

Usually, companies have several services that differently fuel their mobile and browser systems. These various services must be centralized on one gateway. Today, we can put security mechanisms directly into the gateway instead of replicating security for each end-point.

All other services beyond the gateway are private and protected by the VPC, with no external access.

Thus, we build security against:

● DDOS attacks: with the use of the gateway, we can control multiple DDOS attacks on a single service;

● SQL Injection: this is an old practice of malicious people manipulating data in general, including deleting the entire database. DB1 works with high-level tools such as .NET, Java, and Go Lang that natively bring security against this type of attack;

● Cross-site Scripting (XSS): in this type of attack, someone can download your website and change the code by injecting client-side scripts. Using a VPN and JWT token, we do not have any loopholes to allow this to happen. We use restrictive CORS policies to prevent this type of attack.

Security is a constant: How are we protecting ourselves in the long run?

In addition to the implementations mentioned above, which we are starting within the project, we are also engaged in the constant validation of libraries. We use widespread libraries in the market on the front end to speed it up and avoid rework. The risk of libraries is using them without the security criterion. Here at DB1, we run validations to find the libraries updated with new secure versions. We will update the client’s front-end libraries, revisiting them periodically. With these constant updates, we avoid attack gaps. We also use tools for front-end vulnerability scans to prevent attacks.

Another DB1 practice that aims at constant security of all projects is a security testing process that includes the simulation of attacks. We have professional security experts who test attacks on projects to check for threats and possible vulnerabilities on our team. In this way, we can anticipate risks and apply effective protective measures.

Security testing has enormous importance for applications as it ensures that sensitive data remains confidential. In this type of test, the expert plays the role of the various types of attackers (hackers, crackers, ethical hackers, and script kiddies) to find bugs related to the system’s security. When it comes to social engineering, security testing is a must to protect data.

“New security tools arise in the market and new forms of attacks. Unfortunately, there is no silver bullet to protect a system 100%, so here at DB1, we treat security as a culture, always looking for new ways to protect our customer’s data.”- Jaime Yule Jacobson, developer and technical leader at DB1 Global Software.