Security, reliability and scalability makes a software solution more trustworthy. Privacy and data protection are the most important things customers are concerned about for most software solutions out there.
Here are some of the main topics that can help give a good glimpse to business owners on what to tackle, or at least have a plan in near future to tackle for their software solutions.
Compliance & Certifications
SOC I & II
SOC 2 is a Systems & Organizational Control 2 (SOC 2) examination performed by a third party audit. It ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients.
Complete a third-party SOC 2 Type II audit. Type II is a continued auditing procedure that ensures organizational and technology controls are independently audited and it was performed at least annually.
GDPR compliance
GDPR expands the privacy rights granted to European individuals and requires certain companies that process the personal data of European individuals to comply with a redefined set of regulations. It’s a must if you are serving the EU market.
Follow a Privacy framework, be a member
For example, Privacy Shield is an agreement between the EU and US that allows for the transfer of personal data from the EU to the US.
Security, Zero Trust
Most large cloud service providers such as AWS, GCP, Azure are providing security features built-in. Use a cloud provider with built-in security. Use best practices to further harden your systems and processes. Also, modern cloud services employ a robust physical security program with multiple certifications, usually including SOC 1 & 2.
Malware detection services
Partner with a company which provides a comprehensive and automated malware detection service for files uploaded to the service by users, ensuring that foreign files uploaded to the service are not infected. For file related securities, you might want to maintain a blocklist containing a list of forbidden file extensions. The file extension blocklist may contain file types that may be considered dangerous, such as scripts or executables. By blocking these file types, the risk of malware infection can be reduced significantly.
Use NIDS
Network Intrusion Detection System (NIDS) sensors can be used in tandem with native cloud security services, which can be enabled for all production assets.
Encryption Practices
Passwords
Never store passwords in clear text – they should always be hashed and salted securely using strong algorithms such as bcrypt. Bcrypt is a proven algorithm and is considered one of the best choices for password storage.
Encryption at rest
Data at rest should be encrypted and AES-256 is a great choice. Encryption keys can be stored using cloud providers Key Management Services. One or more annually rotated customer master key (CMK) can be used to encrypt all client data.
Encryption in transit
All network communication should use TLS with at least 128-bit AES encryption. The connections should use at least TLS v1.2, and we usually recommend it to be encrypted and authenticated using at least AES_128_GCM. ECDHE_RSA is a great choice as the key exchange mechanism. There are 3rd party services available to analyze TLS configurations who use their custom configured SSL Server to test and provide you a comprehensive report with a score.