The importance of cybersecurity in software design


Written By Corey Petty, Co-founder and Host, The Bitcoin Podcast Network and Head of Security, Status.im

On average, the total cost of a data breach to a company is some USD 3.92 million based on the most recent annual report from IBM Security. The same report states that 51 percent of data breaches are caused by malicious or criminal attacks. And these only reflect the successful attacks.

Southeast Asia is currently seen as a breeding ground for cyber attacks according to a report released by management consultancy firm AT Kearney. Malaysia, Indonesia, and Vietnam recorded more than 3.5 times the average global ratio of blocked suspicious web activity.

The Philippines on the other hand is a constant target of attacks with significant success. In the last few years, many major Philippine companies have had massive data breaches. Others came dangerously exposed to it with many red flags.

In January of 2019, Philippine remittance and pawnshop chain Cebuana Lhuiller saw one of its email servers hacked, leaking sensitive information of more than 900,000 clients. In 2018, fast-food giant Jollibee was ordered by National Privacy Commission to suspend its delivery service over concerns of potential data breaches.

The country also witnessed the government’s vulnerability to attacks over the last decade. The Armed Forces of the Philippines’ recruitment platform was breached, releasing more than 50,000 applicants’ details.

Another high-profile government data breach happened in 2016 when the Philippine Commission on Elections was defaced. It was later revealed that millions of biometric data, passport information, email addresses, and other valuable personal information were leaked into the dark and clear web.

More sophisticated threat actors

Every day, businesses and institutions are being targeted by cyber-attacks. Most of these threats are low-level and can be neutralized by simple due diligence including subscribing to third-party cybersecurity suites and client/server protocol encryption.

However, over the last two decades, the world has seen an increase in more sophisticated and better-funded threat actors. Whereas lower-level threats attempt to breach security through a sheer volume of attacks, these actors are more persistent and methodical. And these attackers, many of which are state-sponsored, lie undetected until it’s too late.

On a wider scale, the Internet itself, over the last decade, has become far less safe and secure given many countries’ state-sponsored mass surveillance of their citizens’ Internet activity as well as widespread content manipulation aimed at disinformation or what everyone has come to know as “fake news.” Based on the Freedom on the Net 2018 report by Freedom House, 26 out of 65 countries surveyed had seen a decline in Internet freedom.

Even in the so-called free world, cynicism pervades, at best. At worst, people are quite certain that privacy, as we know it, is going extinct. Several governments all over the world sponsor mass surveillance and censorship of internet activity with many passing vaguely written laws that impose severe jail time to those supposedly found “inciting hatred” or expressing dissent.

Security in decades past: A design afterthought

The IBM report adds that successful breaches have an adverse effect on companies years down the line. This is largely due to the fact that most companies have a reactive approach to cybersecurity.

The reactionary view to security goes all the way back to the creation of the Internet. The World Wide Web as we know it today is built on a shaky foundation on which layers upon layers of updates have been placed.

Lacking foresight for the emergence of malicious threats, the early iterations of the web did not have any measures to mitigate risk. New protocols and accompanying encryptions were borne only in response to events. Due to this, developers are constantly in fight mode to try and stop attacks. However, attackers are almost always one step ahead.

As the threat becomes stronger and more organized, the reactionary strategy to Internet security will no longer cut it.

Removing the points of failure: Getting to the root

Proactive design is the future of cybersecurity. Many cybersecurity companies now offer solutions they badge as “proactive” which promise deeper and more extensive detection methods and faster responses, but this still relies too much on guesswork such as threat forecasts and active filtering. This does not necessarily address the problem from its root.

Instead of creating Band-Aid solutions to costly attacks, developers should address the problem from the ground up. Designing a threat-proof platform provides a strong foundation for a company’s security efforts. And thanks to recent advances in technology, particularly in blockchain and encryption, developers are now able to threat-proof their software.

Some IT service management companies such as Canadian firm Solarwinds MSP offer multi-layered, holistic network security for its cloud platform. This combines multiple security measures including data encryption, patch management, and digital certificates, creating a thick shell that is harder to penetrate by would-be attackers.

Blockchain takes this even further with its distributed ledger architecture. With its checks and balances, it is harder for a malicious entity to penetrate the encrypted network undetected. And due to its decentralized nature, there is no single point of entry for data.

In the traditional client-server model of Web 2.0, users rely on centralized third parties to host transaction data. This means attackers have a target that they could continuously wear down with attacks.

With blockchain technology, on the other hand, the data is distributed across a vast network of users through a distributed ledger which eliminates single-point vulnerabilities. We are getting to the root of the problem by removing these points of failure altogether.

Another step further is a peer-to-peer technology that removes the need for centralized servers and third parties of any kind. With secure, p2p technology, we decrease the attack surface to only the parties involved in a transaction or communication. Messages, for example, will only and can only ever be seen by the parties involved in the chat.

By combining peer-to-peer and blockchain technologies, platforms greatly increase security and effectively neutralize threats before they can even knock on the door. These technologies also help create a freer, more private Internet, minimizing entry points for entities attempting surveillance.

Taking back our lives, with greater sophistication

Our flagship product, the Status Mobile App, a secure messenger, crypto wallet, and web3 browser, currently uses Ethereum’s P2P protocol suite. The Ethereum public blockchain decentralizes transactions and data storage while Whisper, the p2p messaging layer of the Ethereum technology stack, removes third-party intermediaries from communication altogether. Whereas well-equipped attackers are still able to break through more traditional client/server protocols, Status uses blockchain’s distributed ledger architecture and does not host messages and other sensitive user information in a central data bank.

In addition to the Whisper platform, we include end-to-end encryption, “perfect forward secrecy”, and the use of the Double Ratchet algorithm for additional layers of privacy and security. This means that even when a sophisticated attacker gets hold of the private key to decrypt a message, the attacker cannot retrieve any information.

Soon, we will be replacing Whisper with Waku, a fork of the Whisper protocol with better scalability by improving bandwidth efficiency. Our team is also conducting extensive R&D on distributed messaging protocols for even greater privacy, security, and scalability.

Silicon Valley giants are already seeing the massive potential of utilizing blockchain technology to create a more flexible, more agile, and safer Internet. IBM now offers blockchain deployment for its clients based on the Hyperledger Fabric platform with its modular architecture that could be scaled for different needs. IBM touts that it is able to help companies adopt blockchain for any industry from food and agriculture to media and advertising.

Recent advances in technology have given people the chance to rethink the way they deal with cybersecurity threats. By decentralizing the transfer of information, we are lessening human interference and potential holes in the system, creating a safer and freer Internet for all.

When designing software, companies and developers should give primacy to security, equal to or more than other aspects of user experience. With a global economy growing increasingly reliant on online transactions, there is a great amount of information that lies vulnerable to attackers. Proactivity is the only way we can defend ourselves against cyber attacks before they even happen.