The Wasp is one of the superheroes from Marvel Comics. Along with the Avengers she protects the world from evil. But we can’t rely on superheroes to protect us from evil on the web. To make sure there are always security basics in place, there’s OWASP: the Open Web Application Security Project. By following their guidelines, our projects are compliant in terms of security. Though it might sound a bit boring, security plays a very important role in the performance of apps. There are so much more security issues out there than you think, so we always keep it in mind when developing code for mobile and web applications. But did you know that our designers as well are working on blocking security issues? Awareness and compliance are critical First things first. Let us tell you a little about this “OWASP”.
What is OWASP
It’s a non-profit organization dedicated to the protection and improvement of web apps. They compiled a top ten of the most common risks both for mobile operating systems (Android and iOS) and web applications. This OWASP Top Ten is a powerful awareness document for application security and it represents a broad consensus about what the most critical web application security flaws are.
There are some elements that we as developer control, but there are also unintended data leakage possibilities that you can’t do anything about. But just as well, you just to take these into account:
- Bugs in the operating system
- Weak PIN or authentication procedure
- Client Side Injection
- Corrupt data,
- sessions that are not closed,
- single sign-on applications that can provide access without additional control to different apps
- store sensitive and critical data, in which case the public cloud is not the best option.
Also critical is he visibility of the page source, or the insufficient shielding of sensitive data such as credit card number, tax IDs or logins. A student in computerscience management recently interviewed us about OWASP. His conclusion was that iCapps is fully compliant with the OWASP guidelines. Although our apps are robust, this is an important aspect that everyone in our organization has to deal with every day, in every action. The full OWASP Top Ten can be found on the OWASP website, both for mobile applications and for web applications.
Security by design
In the IT world people sometimes smirk at end users. "The dumb user" who clicks on everything, downloads unsafe software and uses passwords that are easy to retrieve. But the user is not the problem, because he just does what seems to him to be the most appropriate action in a certain context. As developers, we can’t control the user, but we can manage the context. This means that an important security role is laid out for the designer as well. A few simple examples to illustrate this. We are every careful when and how we use the 'lock' pictogram, because the user sees this symbol as equivalent to safety. A password generator can immediately visually report to the user if his new password is weak. We do the same when people enter the wrong login or the wrong password: even if we know which part is wrong we will always show the message "password and / or login is incorrect". Why? Because if you indicate that only one of the two is wrong, you unwittingly give hackers a big advantage. We don’t do this to annoy users, it’s for their own safety!