Yes, it looks good! Yes it works! But many people or developers don’t see the cyber security challenges of web applications. Businesses must be served and the business functionalities need to rock and roll. But cyber resilience is a paramount feature to offer your business processes through the application. This is another reason why NoCode-X can assist you in a transparent manner for you and your developers.
Do not underestimate the importance of cyber resilience. Did you know that GDPR requires you to serve cyber secure services? When a company’s website is successfully attacked, it is hard to manage or regain the lost in trust by customers. Did you know that a insecure website can easily be scanned and detected by hackers…
Amongst these and other reasons NoCode-X believes serving you a platform to develop and run your services requires to be cyber secure by design and by default!
HTTPS instead of HTTP is important for my banking application. But know that this is also essential for the security of your web applications, for your company and for your customers. NoCode-X serves out of the box cyber resilient configuration which:
- Helps your developer to focus on the functionality serving your business!
- Security by design features such as authenticated access, single-sign-on, …
- Security by default, your data is not automatically exposed to the internet. Do you need this then you need to make it available by configuration.
- Reduces the attack service to your services for hackers!
A lot of nice promises but here are some security features based upon industry best practices which are offered out of the box by NoCode-X We will explain the “why” and the “what”. And what is the “how”, well just start using NoCode-X and you have the right configuration under the hood.
Here is the first in a list of many features which are yours to use, namely the “CIPHER”.
Ciphers are key mechanisms in information protection. Cipher suites are an important part of the service configuration. They are fixed combinations of different algorithms used in the encrypted traffic between server and user. It includes the following components that together define the cipher suites:
- The key exchange algorithm, which records whether and how authentication takes place during the handshake
- The bulk encryption algorithm, which determines how traffic is encrypted
- The message authentication code algorithm, also known as MAC, which determines how each block of traffic is hashed into a cryptographically encrypted message
- The PRF or pseudorandom function, a so-called salt function that every time the MAC wants to encrypt a block of traffic, serves as the cryptographic secret key with which the block can also be read again.
Handshake
A handshake is performed on every single connection between the server and a visitor to a website. During this handshake, the user contacts the server through a ClientHello and a ServerHello, with the two parties exchanging information about the cipher suites they are familiar with. The server then determines which is most useful from the list of matching cipher suites, and uses the protocols as included in that cipher suite for further encryption of the traffic.
Diffie-Hellman
The structure of the cipher suite is very important for determining the most secure option for the server. Which ciphers are most secure is highly dependent on the personal preference of the server owner, but preference is given to cipher suites that use ECDHE, a protocol that uses the very difficult to crack ECC algorithm.
In addition, it is examined which cryptographic protocol is used. Today, TLS 1.3 is the norm, and TLS 1.2 is accepted. Its predecessors, TLS 1.0 and 1.1, SSL 2.0 and 3.0, are seen as insecure due to their weaknesses that could invite Man in the Middle attacks. For example, the handshake in SSL 2.0 was not secured, so a hacker could ensure that a weaker cipher suite was chosen than usual.
How does NoCode-X helps you to secure your ciphers?
NoCode-X offers out of the box REST API’s, web-applications, a development, test and production environment, A built in media library, … All of these are web based and by their nature within the web-based attack surface of a hacker.
NoCode-X’ mission statement is to offer secure applications and services. The ciphers in NoCode-X are configured by default in the best practices of NIST. NIST is the National Institute of Standards and Technology. It offers up-to-date good and best practices. Data as essential asset of your company, needs to be protected in the best possible way. Therefore, the settings are in line with these industry best practices.
Do you have questions on the functioning or under the hood of NoCode-X, do not hesitate to have a look on our website and reach out!
Reference: Ciphers and cryptography standard