Security is the most important part for any technology and often times does not get enough attention, causing catastrophic damages to your business, platform or clientele data. With the availability of public Cloud platforms and Free/Discounted products in recent years, the problem of has exploded. As a business, it requires a deeper commitment to actively understand, monitor and address of the related concerns from legal aspects to delivery goals.
Building a scalable, secure and optimal technology platform requires working on security concerns at different levels of the solution ecosystem. Depending on the choice of your implementation, the responsibilities vary and should be addressed accordingly.
Botsplash, is a “Software as a service” provider for multi-channel chat engagement. We manage, monitor and maintain most of the responsibilities as part of our platform ecosystem, so as to minimize the risk and security overhead and concerns of our clients.
Our approach to actively mitigate the security concerns:
- Production infrastructure : Constant monitoring, regular audits and best practices reviews.
- Release Process methodology : Mandatory code reviews, Security testing and Dedicated security sprint for every 6 sprints to continuously improve our security infrastructure.
As we worked through building Botsplash, we have implemented numerous security measures but following 4 security audits are crucial to attend and address
- Absence of designated Systems or Security Admin (as opposed to code, where the developer is responsible for it). This could result in incorrectly implementing security and making the business vulnerable to attackers.
- No involvement of Business and Technology leaders to review 3rd party widget terms and understanding hidden cost of free products or general market solutions.
- New features pushed to delivery without proper review and audits.
By any means, these 4 audit items are not comprehensive but a great start and reduce your attack circumference significantly:
1. Cloud Data Storage Security
Incorrectly configured data storage solutions are the primary reason for large scale personally identifiable information leaks in the recent years. It includes:
- Amazon Web Services (AWS) S3 open or incorrectly configured buckets. Facebook , Verizon , GoDaddy , Millions of Mortgage documents , 111GB of Credit Repair Documents , and millions of other customers ** data have been exposed accidentally causing irreparable damage.
- Cloud hosted MongoDB and ElasticSearch without strong password exposed another 275 millions ** and 57 millions of customers data respectively.
From the onset, AWS S3 and other Cloud storage options may appear to be easy to use and configure. In reality, they are complex with 100s of operations, functions and permissions. This accidentally results in many misconfigured S3 buckets and inadvertently exposing sensitive documents to the public.
Fortunately, AWS now rolled out a new security feature that restricts the accidental exposure of documents at the S3 bucket and account level.
We strongly recommend that every AWS account should set this restriction at the account level. This sometimes is not possible due to need for publicly accessible documents, but advise to use alternate account or different form of storage and add long term security to your account.
Free AWS Trusted Advisor is one of the reliable way to measure your account exposure of AWS S3 accounts
2. Chat widgets, Pixels and 3rd party applications
You might have heard now the famous quote,
If you are not paying for it, then you are the product.
And some “Software as a service” and “Data” companies take it a step further, “You pay for the product, we will sell (or collaborate) your data and your customers data to resellers to make better profits”.
Read the fine print of terms and conditions for every Chat app, Analytics Pixel or 3rd party apps on how the data will be used or shared with their partners and re-sellers.
When in doubt, escalate it to the Chat App/Pixel account manager and get it in writing that your data and your customer’s is secure and not sold. Failing to so can cause great damage to your business as your website traffic and/or customers data could be shared with your competition.
In addition, 3rd party applications such as Chat apps, Calendars, Forms should be running in their own container (IFRAME) to avoid accidentally exposing their vulnerabilities.
At Botsplash, we provide simple and transparent contract with data usage and purge policies. We do not share or resell the data to 3rd parties. Our chat application runs in a separate IFRAME with restricted network access for security reasons. Very few software providers can claim such practices!
Also, we recommend to host your own websites to maintain full control of your application and metrics across cloud providers. It is much easier to do it now than ever, here are few places to get started, Docker Containers, Jekyll Themes (used by Botsplash), WordPress and large number of other choices. Exposing your business to 3rd party platforms could result it in amazoned by the platform itself or unsustainable.
3. Website and API Security
Public website and the supporting web applications, APIs and mobile applications are face of an organization and technology solutions. They should be well secured as these are the most easy to access, for attacker to investigate.
Start with these steps:
- Limit the exposure of public applications. The fewer the public applications, less the attack surface and vulnerability.
- Secure your Web application and APIs for cross site security vulnerabilities. There are too many applications that are left unchecked for XSS and incorrect API settings. Use the Keycdn explanation of HTTP Headers and tool to evaluate your website settings that could be allowing attackers to sniff into the your content or customers.
- Check your application for OWASP Top 10 vulnerabilities and review the complete assessment.
- Use Cloudflare or Imperva or AWS Web Application Firewall for DNS and Security. They provides a great security layer to your services and solution to many known vulnerabilities.
- Evaluate and monitor Content Security Policies (CSP). Though it is optional recommendation to implement CSP, it is great choice to eliminate the cross site scripting attacks.
At Botsplash, we use regularly measure and monitor our web exposure. Also, we are strong proponent of Web Application Firewalls such as CloudFlare for being securing our applications and being a great partner.
4. Personal Security
In a targeted attack, where an attacker knows about you or your organization or have incorrectly gained access to the secrets, this can result in potential hazard of attackers stealing the customers or business data and in some cases, losing access to your infrastructure.
- Setup Multi-factor authentication using Google Authenticator for all accounts. For a sophisticated hacker, reading SMS messages is possible and Authenticator app provides a better security.
- Using common passwords are a common cause of infiltration. Using password manager such as 1Password for your team will mitigate this risk.
- Since vulnerabilities are initiated from the humans, better training of handling your security and systems will go a long way in securing the infrastructure.
Security vulnerabilities come in many forms and shapes. Due the rapid delivery of applications and 3rd party solutions, the applications are more vulnerable than ever. Cultivating security best practices in your teams and organizations is important and we recommend the approach of “Production Infrastructure” monitoring and “Release Process methodology” code reviews/sprint process.
Also, we laid out 4 audits you must do today to secure your application and business interests. For businesses that need extra protection, there are many security companies (one next door to us – Gotham Digital\nScience) that can help with the auditing and process.
If you have feedback or suggestions for alternate passes, leave comment below.
Do you want to read more of Botsplash team contributions? Check out articles here.
For more articles on Live Chat, Automated Bots, SMS Messaging and\nConversational Voice solutions, explore our blog.