Android Developer Blog: Introducing Security by Design


Posted by Jon Markoff, Staff Development Lawyer and Sean Smith, Technical Program Manager

Android header graphic

As a developer, are you struggling with when to incorporate security threat protection into your roadmap? Integrating security into your application development lifecycle can save you a lot of time, money, and risk. This is why we launched Safety by design at Google Play Academy to help developers proactively identify, mitigate, and protect against security threats.

The Android ecosystem, including Google Play, has many built-in security features that help protect developers and users. The lesson Introduction to Application Security Best Practices takes these protections a step further by helping you take advantage of additional security features to integrate into your application. For example, Jetpack security helps developers to properly encrypt their data at rest and only provides safe and well-known algorithms for encrypting files and shared preferences. Are you concerned about using rooted or compromised devices that may allow a malicious actor to use your app in an unauthorized manner? the SafetyNet attestation API is a solution to help identify potentially unsafe usage patterns. There are several common design vulnerabilities that are important to look out for, including use of shared or inappropriate file storage, use of unsafe protocols, unprotected components like activities, and more. The course also provides methods for testing your application, in order to protect applications in the wild after launch. Finally, you can set up a Vulnerability Disclosure Program (VDP) to hire security researchers to help you.

In the next course, you will learn how to integrate security into every step of the development process by adopting the Safety development life cycle. SDL is an industry standard process and in this course you will learn the fundamentals of setting up a program, obtaining executive sponsorship, and integrating into your development cycle.

security development lifecycle graph

Threat modeling is part of the security development lifecycle. In this course, you will learn to think like an attacker to identify, categorize, and deal with threats. By doing this early in the design phase of development, you can identify potential threats and start planning how to mitigate them at lower cost and create a more secure product for your users.

Security design graphic

Improving the security of your application is a never-ending process. Subscribe to Security by Design module where, in a few short courses, you will learn how to integrate security into your application development lifecycle, how to model potential threats and application security best practices in your application, and how to avoid pitfalls potentials of conception.



Source Link

Please follow and like us: