Digital Services: Building a secure digital service

Serviceteam IT Security News

Just designing a service to be secure is not enough. There will be security implications to many of the decisions made during the build phase too. And no doubt there will be iterations to the design once the build is underway. Consider security as a factor in every decision you make.

Securing commodity components

  • To protect data in transit across untrusted networks, follow our network security advice.There is dedicated advice on using TLS to secure communications between your digital service and users.
  • Deploy the latest versions of all of the commodity components, such as operating systems, and web development frameworks, that you are using, to ensure you benefit from the latest security features. 
  • Follow the manufacturer’s recommended configuration guidance to protect your server infrastructure. 
  • Containerisation can be great to help you manage your digital service, but we recommend not using containers to separate different trust domains within your system.

Securing your custom software

Whilst working on a digital service you’ll make many important security-related decisions in relation to the design, but there will also be important implementation choices too. You’ll need to think about how to threat model new features, how to perform security testing, how to protect your source code repository and how to protect the integrity of your development environments. 

Testing

Testing is the best way of checking the security of the service you’ve built. Even with the best of intentions, it’s common for things to be missed in the configuration of components.

Security and penetration testing should be part of your overall testing. It’s important for you to do some security testing yourself that gives you the confidence that the service you are building is secure, however you should use professional penetration testers to verify that the service you are building is secure. You’ll know you’re doing a good job at your own internal testing when the professional penetration testers have to work very hard to find a flaw your system that you were not already aware of and acting on.

When it comes to digital services there are two types of penetration testing that you will need to think about:

  • Web app penetration testing
    concerned with the security of the applications you’ve built or deployed
     
  • Infrastructure penetration testing
    concerned with the underlying infrastructure, networks, operating systems and platforms.

For more information, see our detailed guide on penetration testing.

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News What does the NCSC think of password managers?
Serviceteam IT Security News UK and US hack the hackers to bring down LockBit crime gang
Serviceteam IT Security News Sheryl Sandberg’s influence reaches all of us. But it’s a troubling legacy | Stephanie Hare
Serviceteam IT Security News NCSC IT: Don’t leave your Windows open this Christmas
Serviceteam IT Security News Two Nasty Outlook Bugs Fixed in Microsoft’s Feb. Patch Tuesday Update
Serviceteam IT Security News New edition of cyber security guidance helps small businesses to tackle common cyber attacks