We recently talked about the crucial relevance of computer security in today’s world and the different types of attacks and impacts on systems and applications. We also discussed software-based strategies available to deal with this problem. Our interview with Brazilian cybersecurity website SocialSec can be read here (in Portuguese): “
Cultura do desenvolvimento seguro na pauta do negócio
”.

One of the questions we were asked was about the different impacts that security attacks have on businesses or organizations.

There are different types of attacks and impacts. Ransomware attacks
disrupt the operational continuity of organizations, who are prevented from accessing information that is vital to their operations. For example, some hospitals have been temporarily closed because they couldn’t access their patients’ data.

As for applications, they are affected in two ways: they can be used as a vector to attack an organization—through a vulnerability in an application, an attacker can execute ransomware that affects the entire infrastructure. In addition, applications can also be affected if an attack manages to encrypt the data sources used (file systems, databases, etc.).

To avoid these risks, applications must be designed, developed, and analyzed in order to eliminate any vulnerabilities that may be exploited.

It is also critical to establish backup and disaster recovery policies that allow going back to business as usual as soon as possible in the event of a successful attack.

Development solutions for information security and privacy

One solution proven to be effective and efficient in terms of costs and time to market is to implement a Secure Software Development Life Cycle (SSDLC).

Right from the inception stage, security and privacy aspects must be taken into account in order to build software that anticipates different types of attacks and threats.

During development, tasks must be planned and implemented so as to ensure the required degree of safety.

The ethical hacking approach, where penetration testing is performed after the software has been built, has proven to be inefficient and potentially ineffective. It is inefficient in that it involves rework that could have been carried out earlier in the development cycle. It can also be ineffective because professional ethical hackers only test what they see, potentially leaving hidden vulnerabilities.

The consequence of not following a secure development strategy can be that a fully developed software product cannot be deployed to production due to its vulnerabilities, directly impacting time to market and making the organization unable to respond to business needs in a timely manner.

Application security is becoming increasingly important. For more information, watch this video: DevSecOps:
Redefining the foundations of security with Static Code Analysis
, where tools to help detect potential vulnerabilities are discussed.

Security and privacy strategies: GeneXus Access Manager and new agreement with Veracode

GeneXus as a Low-Code platform aims to automate everything that can be automated in the software development process. Following this vision, it automatically handles security issues—such as SQL Injection or Cross Site Scripting—in the code it generates. As a result, the final application generated in GeneXus is as secure as possible without adding complexity for the developer.

In addition, GeneXus provides a security module called GAM (GeneXus Access Manager) which implements the authentication and authorization of applications. In this way, with very little effort you can secure access to all entry points of the application being developed in GeneXus, and check access permissions to the application’s resources. In turn, this module allows for authentication with any external identity provider through OAuth protocols.

Lastly, we are pleased to share with you that in October 2021 GeneXus signed an agreement to become a Veracode
Partner. This technology alliance allows us to integrate the static and dynamic code analysis tools of the leading platform Veracode into the GeneXus development process. With it, we not only seek to provide secure quality assurance, but also to make life easier for our customers who will use this platform to check their GeneXus-generated applications.

The alliance will allow GeneXus customers to easily demonstrate the security of their applications, shorten sales cycles, and gain competitive advantage.

In this way, we hope to help customers reduce high severity vulnerabilities, while also reducing false positives in security reports when they use the Veracode platform to examine applications built with GeneXus.

You may also be interested in the following articles from the GeneXus Community Wiki:

• 
  One Time Password en GAM
• 
  Two Factor Authentication en GAM
• 
  Computer Security: The importance of not repeating passwords
• 
  Free GeneXus course:
  Introduction to GAM