Adopting a AAA approach to software security

Data remains king in 2024. Consumers are more cautious than ever about providing organisations with accurate data. High-profile incidents, such as the Cambridge Analytica-Facebook scandal, have further entrenched scepticism regarding how companies handle personal information. With data being treated as a premium asset, it is imperative for software developers to take every measure to vigilantly protect consumer data. In this article, we’ll explore WorkingMouse’s updated approach to software security. If you’re seeking advice on your security strategy, please contact us. 

The AAA Approach 

When considering an application’s security, we focus on three critical areas: authentication, authorisation, and auditing. The best security strategy employs a layered defence coupled with a strong security plan. With two-thirds of cyber breaches caused or enabled by employees, security is only as strong as its weakest link. 

As part of our layered defence, we address software, hardware, and hosting components for the applications we build. 

Authentication

Authentication is the process of identifying users and ensuring they are who they claim to be. Traditionally, this was accomplished using a username and password. While strong passwords remain a good start, the security landscape has evolved, and new methods like two-factor authentication (2FA) and biometrics have become standard practice.  

2FA provides an additional security layer: after entering a username and password, users must also enter a unique code sent to their mobile device. This method has now become commonplace, especially in online banking and secure transactions. 

Passwordless authentication has also emerged as a more modern solution, using options such as hardware security keys, magic links, or even biometric identification like facial recognition and behavioural biometrics (analysing user patterns such as typing speed or mouse movement). Passwordless methods are more resilient to attacks like phishing or credential stuffing, offering a higher level of security. 

Most smartphones today also support biometric authentication methods like fingerprints and facial recognition, further reducing the reliance on traditional passwords. 

Authorisation

Once authentication has been verified (we know who the user is), the next step is to manage authorisation, or controlling what actions the user can perform. According to the Australian Signals Directorate, restricting administrative privileges is one of the top four strategies for mitigating cyber risks.  

At WorkingMouse, we use the Codebots permissions behaviour to help product owners create user groups and control access levels. This ensures that users only access necessary parts of the application, minimising the risk of accidental or intentional misuse. 

Auditing 

Auditing is a reactive but vital measure, tracking the resources that users access. Cyberattacks are not always external; sometimes, they can originate from trusted insiders like employees or end-users who already have authentication and authorisation. Therefore, auditing every request made within an application is crucial for forensic purposes and compliance with legislation such as the Notifiable Data Breaches Scheme.  

By tracking session logs, you can detect unusual behaviour patterns, identify potential threats, and improve response times to breaches. In 2024, AI-driven tools are increasingly employed to automate threat detection and improve monitoring by analysing patterns that may signal malicious activity. 

Hardware Security 

Security isn’t just about software; the hardware and infrastructure your applications rely on are equally important. In 2024, cloud hosting has become the standard for most organisations, and several security measures should be in place to safeguard your data.

At WorkingMouse, we employ a multi-zone redundancy plan to ensure all critical data is replicated across multiple physical locations. This means that if one server fails, the data remains accessible, significantly reducing the risk of data loss.  

We also enforce HTTPS for site resource access, and internal system administration is protected using multi-layered security. All databases are password protected and accessible only from within our private firewalled network. Access control is essential, and databases include multiple levels of user privileges to restrict access to sensitive data. 

Assess Your Security Measures 

The AAA framework (authentication, authorisation, and auditing) offers a benchmark to assess your application security: 

• Authentication: Are you relying on basic usernames and passwords, or have you implemented 2FA or passwordless options? The sensitivity of the data you’re protecting should guide your choice. For instance, if you’re handling financial data, an additional layer of security is essential. 

• Authorisation: After authentication, does each user have only the permissions necessary for their role? If not, consider performing a serious audit of your authorisation practices. 

• Auditing: If you’re not logging session activity or tracking user access, you’re flying blind. This leaves your system vulnerable to repeated attacks from the same person without your knowledge. Logging user activity is crucial for identifying security issues early. 

Stay Ahead with Zero Trust Architecture  

In 2024, many organisations are shifting towards a zero trust architecture, which assumes that no user—internal or external—should be trusted by default. This approach mandates continuous verification and monitoring of users and devices, even after they’ve been authenticated. It’s a proactive method to defend against increasingly sophisticated cyberattacks. 

By adopting a structured approach, including auditing your system based on the AAA principles, you can ensure that your software security measures are up to standard. At WorkingMouse, we remain committed to delivering secure, robust applications that are built to withstand the evolving threat landscape of 2024.