The more sophisticated the security measures, the more thought-through the precautions set up in your corporate database, the more challenges it invites. Some go straight to brute force solutions and attempt to hack your site and its internal systems. But that is easily addressed as we already discussed in previous articles. But there always remain ways to bend the rules and use legitimate mechanics to their terrible ends without outright hacking.

How should your company address all of that?

Session security is an important consideration in the design of any system that requires communication between a server and a client. Improper security can lead to user accounts being vulnerable to unauthorized access. A couple of years ago it was considered the second biggest threat to online security. With GitLab and Facebook vulnerable and losing account data by the millions.

The danger is real for any company, no matter the size. Along with privacy issues, payment data, you have to worry about the integrity of your clients’ trust. It’s hard to persuade your customers that they can rely on your company while someone tricks the system and you can do nothing about it.

Existing detection methods rely largely on heuristic algorithms such as tracking sudden changes in IP addresses and browser (or mobile) fingerprints and flagging “unusual user behavior”. Unfortunately, these methods themselves can be inaccurate, easy to spoof, and difficult to implement. That is why a team of experienced security specialists who understand all the ins and out of corporate database security is vital.

For example, Tentacle’s security specialists quickly detected and stopped a front-end site user from abusing the internal system of the corporate database when the user tried to log in on both the mobile device and PC in an attempt to subvert the security measures. The issue was detected, addressed and the vulnerability closed in a matter of hours and the users and the clients were not affected.

Tentacle Solutions has developed methods and strategies to protect their clients’ corporate databases from these threats – a login authenticating management system that prevents users from logging in multiple times or from different devices, a system of checks to prevent roaming users from abusing the login sessions and abusing the potential vulnerabilities of the system to steal your companies’ data. If your company considers utilizing an upgrade to your rusty Access database or want to make sure that all your data and internal system are tightly secure, make sure to drop a line to Tentacle Solutions.

In the next part, we will address different methods of securing your competition site's integrity via session management - authentication management, application of tokens instead of passwords, token encryption, social sign-in, and how to choose between them and better – how to combine them.

Handling loads of data in the age of GDPR is risky and complicated by itself to constantly worry about the security of the whole endeavor. That’s why it’s better to stay with professional software database developers like Tentacle Solutions who have established protocols and methods of securing your systems.

What are those methods and best practices?

All the security issues and potential risks should be evaluated and openly discussed between the company and the development house.

One of the best methods to ensure the safety of your competition site and its databases is to utilize authentication management systems that use authentication tokens. Tokens are a web authentication technique that lets users enter their username and password once and receive a uniquely-generated encrypted token in exchange. Basically, the digital token proves your competition site user has already been allowed in.

That’s a huge step ahead when compared to passwords and other means of login and session management. Two types of tokens dominate the session management niche: JWT and Opaque.

JSON Web Token (JWT) contains specific information that can be interpreted by any party that has that token. For example, this information can contain the user ID of the user for whom it was issued. An advantage of using JWTs is scalability as the backend does not need to do a database lookup for every API call. The drawback is that revoking a single token on demand (before it expires) can be difficult if methods like blacklisting are not used (which impacts the scalability of the solution). However, one can revoke all tokens by changing the signing key.

Opaque Tokens - these are random strings that act as pointers to information that is held only by the system that issues them. These require a database/cache lookup each time they are used. A single token can easily be revoked on demand. Implementing one of the above token types, along with social media login and two-step verification, can lower the risk of roaming users and session abuse to a minimum while creating a sense of security and trust between your company and its’ clients and staff.

Don’t take us at our word, one of the biggest names in the business – Google, came up with some of the best practices in login session management and after reading our article the list will already be familiar to you:

1. Hashing passwords
2. Allowing third-party identity providers if possible
3. Separation of user identity and user account
4. Allowing multiple identities to link to a single user account
5. Allowing long passwords
6. Allow users to change their username
7. Letting users delete their accounts
8. Conscious decision-making on session length
9. Two-step verification
10. Don't impose unreasonable rules for usernames

All of the above should be kept in mind when looking for the software database development company and all the way through development until the product is delivered to you. All the security issues and potential risks should be evaluated and openly discussed between the company and the development house.