Creating a new app or software package? Includes tips for keeping data secure during product design, development, testing and roll-out.
Learn more about this subject on the FTC's website: ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
********************************************
Transcript:
[MUSIC PLAYING] Creating a new app or software package can be an exciting venture. The Start With Security video series and resources at business.ftc.gov offer tips for keeping data secure during product design, development, testing, and roll out.
You want to be confident that a new product protects sensitive consumer data, so ensure that your team understands the latest coding practices and prioritizes security at every step. The FTC has brought cases against several companies that didn't keep employees up to speed on secure coding practices. A lack of adequate training can lead to questionable design decisions and software vulnerabilities.
Another area of risk-- failing to follow a platform's guidelines for secure development. In two FTC cases, companies launched mobile apps with certificate validation turned off even though iOS and Android developer guidelines clearly warned against that. This exposed sensitive consumer information including credit card details, email addresses and passwords, social security numbers, and more. To protect your company from scenarios like these, do not reinvent the wheel. Follow platform security guidelines.
Also, verify that all privacy and security features actually work before a product goes live. In this FTC case, a company behind a popular social media app dropped the ball. They assured users that their messages would disappear forever but failed to confirm the app lived up to this claim. In reality, the app saved video files to a location where they could be easily recovered with common tools. Verify that privacy and security work as advertised.
Finally, it's wise to assess your applications for well-known weaknesses. By doing so, a global fashion company could have avoided an FTC case. Specifically, the company should have tested its resilience to structured query language or SQL injection attacks, a common vulnerability. Catching and addressing this weakness could have prevented hackers from accessing databases with customer credit card information.
For more useful tips about applying sound security practices when developing new products, and for guidance on building a culture of data security in your business, visit ftc.gov/startwithsecurity.
********************************************
