If there was an award for being the most worrisome issue that troubles all business owners without any exception, project data security would be an absolute winner. Data protection concerns have risen drastically during the past two decades and there’s virtually no ending to the battle between those who ensure data security and those trying to breach it. At Modsen, we fully understand the doubts and concerns our clients deal with before deciding to entrust their unique invaluable ideas into our hands. That’s why we asked our data security guru, also known as Modsen CTO, Eugene Kalugin, to pull back the curtain and share the practices we use to ensure rock-solid protection of data on every project. Get ready to exhale in relief as our team leaves no detail unnoticed when it comes to safeguarding your security.
— Good morning, Eugene! I can’t thank you enough for setting aside some time to cross the t’s and dot the i’s on the question of Modsen's approach to ensuring data security on projects.
— Hi! My pleasure, it’s always great to be able to speak about what matters most to our clients.
— Without further ado, let’s get straight to the point. Is it hypothetically possible to build a software product that is impossible to hack?
— People who are even slightly familiar with the world of tech know for sure that the 100% data safety guarantee is a myth. I bet you’ve seen a dozen movies where the action centers around a breached governmental software system or around a genius developer who hacks the most protected databases in the world. But the impossibility of 100% protection doesn’t mean that 99.9% is impossible too. That’s exactly the figure to be guided by. The more valuable the information is, the more resources are used to safeguard it while it’s economically sensible, and the chance of a successful breach decreases inversely proportional to the efforts made to protect it. Moreover, according to statistics experts, about 75-85% of data stolen worldwide is a result of insider attacks, not of some random hacks.
— Wow, sounds surprising. We’ll talk about your approach to insider risks a bit later. Correct me if I’m wrong – the likeliness of a data leak is fully reliant on the foundational process of code development, is it so?
— The codebase development stage is certainly one of the most important elements of data security but there’s so much more to it. During 13 years of building software products on a variety of projects, I’ve seen the seeds of future data breaches being planted when engineers focused on fulfilling business goals at the cost of compromising on proper security measures. The same goes for testing. I know for sure, however unimaginable it may sound, that on some projects software doesn't undergo security tests at all, which is a fatal mistake. Security comes on all levels – from building project architecture, utilizing only tired- and-tested libraries, integrating security tests in CI/CD processes, and checking each PR for inefficiencies, to pre- and post-launch security auditing. You can’t single out a particular step in the development or point out a specialist responsible for data protection – it’s all about a systematic and consistent approach of a project team to security.
— I see… That increases the value of the choice of a trusted software development vendor even more. Here’s a more theoretical question: can we decompose the data security of a software product into separate elements? If yes, what are they?
— We sure can. Confidentiality, integrity, accessibility. The confidentiality principle ensures that project data can be retrieved only by legitimate users and processes. Integrity implies that the information within the system has to be relevant, correct, and complete. Finally, accessibility overlaps with confidentiality and guarantees that only legitimate users can access the data at the scheduled time.
— Speaking of this data security “trinity”: global statistical resources keep raising the alarm about the exponentially growing number of cyber attacks that have become more organized and sophisticated. Is Modsen ready to qualitatively respond to the increasingly complex challenge and how does the team treat the issue of safeguarding client data during the software development lifecycle?
— Without any exaggerations, I can say that there’s nothing more crucial for our team than being sure that we’ve done our best to secure a software product on all fronts. I myself am an unwavering “ambassador” of the 360° security concept and do not tolerate the slightest potential security gap, and every person on the team considers data protection as a top priority. If to speak about practical measures we take to ensure the safety of project data, it all starts from the entrance to our offices – personal chip keys and surveillance cameras ensure not a soul can come in unnoticed, and our employees are under constant control as well, both from within and without, as our Data Security Department specialists monitor personal equipment activity of every team member to eliminate insider threat risks. For example, we always check if our developers delete code after finishing the work on a project. Trust, but verify. Among other key duties of the Data Security Department are maintenance of the security of our offices and personal computers, timely updates of operational systems, conducting of regular courses and training sessions for employees of all departments, and a lot more. Getting back to your question about our readiness to face the rapidly evolving security challenges. Building software projects for our partners, we always take into account new types of threats, integrate security checks at every stage of the development process, systematically implement penetration tests, and invite third-party organizations for security audits. Obtaining new licenses and internationally recognized certifications goes without saying. That’s a small part of what we do but I believe it already vividly illustrates the seriousness with which our team approaches the data protection issue.
— Do we have a secure software development policy? If yes, what does it look like and what practical value does it have? Or its purpose is merely strategic?
— At Modsen , the secure software development policy is a comprehensive multi-page guide each and every one of our engineers follows relentlessly. This document is under my constant revision, as we’re trying to foresee emerging security tendencies and implement the newest and most efficient tools and practices into our work. So, no, it’s more than just a formal paper, it’s a full-scale regularly updated security guide and employee handbook.
— About security practices. Could you give a bit more detail about the ones we use?
— Well, it’s hard to talk briefly about it, as there are several software safety protocols we apply for each type of application. Any service and product we build comes with not one but a set of security practices. For instance, provided by the OWASP framework. Our QA and AQA professionals design detailed test cases, developer engineers utilize programs to monitor the web and code vulnerability. We are indulged in data security from the very start and keep abreast throughout the whole development process. So if you google “best software security practices” and read every article on the first searched page, I assure you, there won’t be a single practice we don’t use at Modsen to protect client data from breaches.
— And our partners are well aware of that. Not to keep you too long, as you’re by far one of the busiest members of the team, here’s the last thing I was wondering about. What stages does a secure software development lifecycle consist of? How exactly do we ensure client data safety at every step of it?
— The answer is simple: implement, test, fix, deploy penetration tests, repeat. This sequence is a basic set of steps we follow to make sure the product is well-protected. If the scope and complexity of a project require more than that, for instance, when we build fintech applications , the project team and our sub-department for data security double and triple testing efforts to deliver ultimately reliable software products. We implement both black and white box tests, focusing more on the latter to see the app from the inside, identify weak spots, and strengthen the system to the fullest.
— If I were a business owner looking for a dependable software development partner truly concerned about the safety of my data and my brand, I would most certainly entrust my project into the hands of your team. Thank you for such an honest and insightful dialogue. I’m sure you’ve put a lot of our potential and new partners at ease. Wishing you to work on the greatest projects this year!
— Thank you, my pleasure. Openness and transparency are within our corporate nature, so I was glad to prove it once again.
When it comes to software development, data security plays a pivotal role in the future of a brand, as the slightest breach can result in an unrecoverable business downfall. There’s no room for risks – go for the team that cares for your security for real.