Anyone staying even remotely connected to the news knows that the internet security breaches just this year have surpassed any other. Many of these breaches were elementary attacks–SQL injection, manipulating URLs to grab data being passed in plain text (yes, Citigroup was passing data through the URL), and the like. Though some attacks are sophisticated, like the one that compromised 40 million RSA keys to major banks and DoD contractors, most attacks can be defended by implementing encryption in a few basic ways.
There are at least four common tasks any application does that require they be completed in a secure fashion: data storage, database access, email processing, and software licensing. Let’s look at some vulnerabilities in each of these tasks where encryption can be used to supplement security.
The obvious danger with data stored on a filesystem is for unwanted eyes to see the data, which is why many store information in databases. Even if data is stored in databases, highly sensitive data, such as credit card numbers, need to be encrypted before storing. Developers should never need credit card numbers, passwords, and the like, so they should always be stored in an encrypted manner without any intention of decrypting it. The data only needs to be confirmed against the encrypted values given by the user to see if they match.
Now, when it comes to storing files and binary data, storing in a database is only more efficient than storing on the file system when the objects are smaller than 256k, as research shows. The lack of access control on the file system requires that developers be creative. Instead of looking for advanced solutions one can encrypt the data before storing it on the file system. If AES encryption is used the data can be secure in plain sight. Performance issues may come into play if the application is reading and writing a lot of data, since the encryption algorithm adds overhead. There are two solutions in this case, one would be to have an external appliance to transfer the data to over SSH, and the other to have an encrypted partition which would allow the encryption and decryption to be handled on the file system level.
A very common problem with applications is the lack of ability to store database access credentials in a safe spot. Just storing the credentials in the code is fine if it is a proprietary binary program. Another option is to not store the database credentials in the program at all. When a user is created create a database user as well with the corresponding username and password. Any time access to the database is necessary attempt opening a connection to the database with the given credentials. If erroneous access attempts need to be avoided, then store the database credentials, both username and password, in an encrypted manner in the code, match the encrypted version of the user’s given credentials against the stored ones, if they match then pass the given plain text username and password to the database. Obviously, every time the program is used the user will have to login, but security will be maintained.
Encrypted email is a must if any sensitive data is being transferred. As referenced before, the number of breaches this year in email alone are astronomical, thus it cannot be guaranteed anyone’s email account is secure. GNU Privacy Guard is an excellent tool that implements the OpenPGP standard of RFC4880. Commercial programs, like PGP, use the exact same standard. Most languages will have a GPG library, or one will be able to implement it through system commands.
Last, but not least, is software licensing. This, perhaps, is the most tricky of all and requires the most creativity because it involves time sensitivity. Most software licenses have expiration dates, and being able to manage them is not a simple task. One article by Michael Ross briefly shows an example of how licensing can be implemented. This task can be accomplished using methods previously mentioned.
These are only a few general tasks and only a few basic ideas for implementing encryption were mentioned. The threat of breaches in security is growing and the expenses can be fatal to businesses. Creative implementation of encryption in just a few basic ways can save developers and the companies they work for a PR nightmare and significant penalties.