Beyond Patches: Secure by Design

We consider many things valuable in our lives: money, freedom, and homes, for instance. Yet all these are now in danger because of stolen identities. In the modern digital era, criminals are not just targeting our wealth or property but our fundamental identity itself.  

Stolen digital identities are the currency of modern cybercrime. Thieves are not simply after physical wallets and purses; they're after the keys to our online kingdoms. Every click, purchase, and interaction leaves a digital trail. This creates a treasure trove for those looking to exploit weaknesses.  

A stolen digital identity can unlock bank accounts, credit card accounts, social media profiles, and even medical records, wreaking havoc on a victim's financial life, reputation, and sense of security. This new breed of theft transcends borders, leaving individuals feeling exposed and violated in a way that traditional crime never could. It violates our identity of self.

Unfortunately, the software development methods used by many companies have helped these new criminals by inadvertently enabling easy access to private information. They have not taken good care of the information given to them. Until this changes, trust issues will remain between organizations and their customers.

Data Breaches

We’ve all seen the news headlines: “Millions of Identities Stolen” and “Corporation Left Secure Data on Open Server.” A clinic in Maui was recently hit by a cyberattack. This attack exposed the personal information of over 120,000 customers.

This sort of security incident headline is now all too common, often dominating the news cycles. People wonder if their data can ever be safe or if they can ever trust the software. 

This often relates to a quirk in human nature. Security usually becomes an afterthought compared to functionality. For example, the first cars built didn’t have door locks or even an ignition key. The ability of the vehicle to drive and go places was more important.

Years later, car companies started including door locks and ignition keys as standard features in their vehicles. Unfortunately consumer demand is what often drives these initiatives.

We see this same set of guiding principles in many industries, which has led to the situation we are in today. Criminals will always look for the easiest route to make money. When someone asked infamous bank robber Willie Sutton why he robbed banks, he answered, “That’s where the money is.”

But after decades of work to vastly improve security, criminals rarely attempt to rob banks anymore. Far too risky.  

If only real customers can take money from banks, criminals must find a way to seem like real customers. Achieving this level of deception used to be complicated. First, you have to know secret information about a person, information only that person should know. But the influential companies that would validate this information were like the banks of Sutton’s day.  

These modern corporations kept all that information in the equivalent of poorly guarded safes. Security was simply an illusion. 

We Don’t Store Data

This philosophy has led Prove to several standard models that form layers of security within all our systems. Prove does not store any Personally Identifiable Information (PII) in our systems. This is the first and most important point. 

Whenever we need PII data, we get the latest and most accurate information from our providers. This way, our data is always fresh. We use that data only for the requested transaction, after which we erase the information in our systems. Discarding sensitive information ensures that even if someone accesses our servers, they cannot compromise customer data.

Encryption, Encryption, Encryption

Secondly, we rely heavily on encryption in all our systems. All connections to and from our data sources and clients use modern encryption methods. This ensures that someone cannot intercept or compromise the data. As a result, only the intended recipient of the data can receive it.

Additionally, we also use encryption internally. When data moves in our systems, we encrypt it. This ensures that no one can read the data while it travels between systems.

The highest security requirements of government agencies and the military mandate this kind of protection. Data simply does not move in a useful format. Even an employee of Prove could not read the confidential data.  

Finally, in rare cases, we need to check if data has changed over time. Instead of storing the data for comparison, we keep a version that we “mathematically hash.” Mathematically hashing is the process of using a hash function to transform any piece of data, no matter how large or small, into a fixed-size string of characters. This string is called a "hash value," "hash code," or simply a "hash."  

Think of it like a fingerprint for digital data. This means that someone cannot recover the original data from the hashed value. This way, we can determine changes without needing to store the actual data on any of our systems.  

Don’t Treat Security as an Afterthought

In software development, security is often seen as an afterthought. It is usually added at the end of the process. Instead, it should be part of the development process. It is a key principle that guides every decision, from design to deployment. 

Treating security as an extra is like building a house without locks on the doors and windows. It may look fine, but it makes the people inside vulnerable to unwanted intrusions.

By focusing on security from the start, developers can build software that is strong and safe. This protects users and sensitive data from ongoing cyber attacks. This proactive approach, known as "Secure by Design," is not just a best practice, but a necessity in today's interconnected world. 

Prove believes in security by design and ensures that all your data is always safe from compromise. We never expose customer data in any way. We also make sure the data stays encrypted inside our systems. Don’t you wish all corporations worked this way?

‍

Photo by Towfiqu barbhuiya on Unsplash