In today’s cloud-driven world, nearly every software system, app, or website relies on a network of dependencies. From the server that hosts the application to the background services that run essential processes, dependencies are critical components that work together to deliver seamless digital experiences. But what exactly is a dependency, and why is managing these so crucial for security? Let’s break it down in simple terms and dive into the top ways to ensure your software stays secure.
Understanding Dependencies in Modern Software
A dependency refers to any external software, library, or service that a system needs to function correctly. Think of dependencies like the ingredients in a recipe. For example, if you’re making a cake, the flour, sugar, eggs, and milk are all dependencies. Each one is essential to the final product, and if any one of them is missing or spoiled, the cake won’t turn out as planned.
For a basic web application setup, here’s how these “ingredients” might look:
• Server: This is like the kitchen where everything comes together and the application “lives.” It hosts the main application and responds to incoming requests from users.
• File Server: Imagine a file cabinet where documents, images, and other files are securely stored and accessed only by those with permission.
• Web Service: This acts as the server’s assistant, handling requests from users and sending back responses.
• Database: Think of this as the pantry that holds all the essential data for the application, like user information and transaction records.
• Background Jobs Service: This is like the overnight prep chef, handling tasks that don’t need to happen immediately but are still essential—such as processing uploads, sending notifications, or handling backups.
• Email Service: Sends out communications to users, like account confirmations or password resets.
• Web Programming Framework & Core Language: Just as a cake recipe follows specific steps, the framework and language (such as Ruby on Rails) provide the structure and rules that guide the development of the application.
Each of these components has its own security requirements and risks. Keeping them updated with patches and security fixes is essential to protect the overall application. If even one part of this setup becomes outdated or vulnerable, it can open the door to security risks.
Why Multi-Factor Authentication (MFA) is Now Essential
With rising cybersecurity threats, Multi-Factor Authentication (MFA) is increasingly becoming mandatory. Regulatory bodies across Europe have recognised MFA as a fundamental security measure. Initiatives such as the EU’s Digital Services Act (DSA) and Digital Markets Act (DMA) now enforce stricter cybersecurity compliance for companies operating in Europe. These regulations emphasise the need for robust authentication methods, like MFA, to protect user data and prevent unauthorised access.
We appreciate that MFA can feel like a hassle at times—extra steps and codes can interrupt a workflow. But as developers, we know it’s a small price to pay for a much-needed level of defense. MFA adds an extra layer of security by requiring users to verify their identity using at least two different factors, such as a password and a code sent to their mobile device. It’s often implemented in various ways, including:
• Email: Receiving a one-time code via email.
• SMS: Getting a code sent directly to your phone via text.
• Authenticator Apps: Using apps like Google Authenticator or Microsoft Authenticator for a more secure, app-based code.
At Green Gorilla Apps, we’ve tried multiple password managers across the company over the past decade, and our current favorite—one we also recommend to clients—is 1Password. 1Password allows users to manage complex passwords across accounts and integrates MFA options seamlessly, making the login process both secure and as user-friendly as possible.
Protecting Client Data Through Regular Patching and Anonymisation Strategies
For one of our clients, who operates in a heavily regulated industry, we implemented a comprehensive data security and compliance strategy to align with GDPR and industry-specific requirements. This client, due to legal obligations, must retain core analysis data for a period of seven years. However, retaining personal data beyond necessary use can be a GDPR violation, so we developed a solution to balance data retention with data privacy.
Our approach includes:
• Regular Patching: We conduct ongoing patching for all dependencies, ensuring the client’s software remains resilient against vulnerabilities. Regular patching allows us to proactively address known security issues before they become exploitable.
• Data Anonymisation Strategy: To keep the analysis data relevant for compliance while protecting user privacy, we implemented a data anonymisation process. After a designated time, all personal data is stripped and moved to a secure data archive. This ensures that the client can retain essential analytical insights without holding onto sensitive personal information, aligning with GDPR’s principles of data minimisation.
These efforts enable the client to stay compliant while reducing their risk of data breaches and maintaining user trust.
The Importance of Regular Security Updates
For our software, we leverage the Ruby on Rails framework, which provides a reliable and secure foundation for building robust applications. But like any software, Rails has a lifecycle, with periodic updates and eventual end-of-life (EOL) for older versions. Staying on a supported version is critical because outdated frameworks no longer receive security patches, making them vulnerable.
In addition to framework updates, we prioritise:
• Library Upgrades: We regularly update all libraries that support the application, as these are common vectors for vulnerabilities.
• Database, File Server, and Cloud Infrastructure Maintenance: Databases, file servers, and cloud infrastructure require consistent reviews to ensure they are optimised, secure, and running on the latest versions. Without these updates, systems may experience performance issues, increased costs, and security risks.
Letting software fall behind in the security upgrade cycle has serious consequences. For example, Ruby on Rails 6 will reach its EOL at a specified time, after which it will no longer receive security updates or patches. This lack of support creates vulnerabilities in any application that relies on Rails 6. Resources like the Ruby on Rails End-of-Life website are excellent for tracking the status of core services and planning for upgrades.
What Happens When Software Falls Out of the Security Upgrade Cycle
When software dependencies aren’t kept up-to-date, they can fall out of the security upgrade cycle. This means that vulnerabilities are no longer addressed, leaving applications exposed. This scenario is akin to using an expired lock on a door; it may look fine, but it no longer provides adequate protection.
Consider, for example, an outdated version of Ruby on Rails, such as Rails 6. Once it reaches EOL, it no longer receives essential security patches, and any new vulnerabilities discovered in that version will remain unpatched. An application using Rails 6 would be significantly more vulnerable to attacks than one using an actively supported version. For businesses, using outdated frameworks could result in costly security incidents, lost customer trust, and, potentially, regulatory penalties.
Security is an Ongoing Commitment
Securing your software is not a one-time task but an ongoing commitment to regular updates, compliance, and best practices. Ensuring your software’s security involves actively managing dependencies, implementing multi-factor authentication, regularly patching systems, and adhering to regulatory standards. By staying proactive, you protect your business, safeguard customer data, and build lasting trust.
If you’re uncertain about your software’s current security standing, consider scheduling a security review. A strong commitment to security is an investment in the resilience and future growth of your business.
