Security training OWASP TOP 10 – Is it worth investing in it? Take a look at our experience!

security training owasp

Have you watched this year’s WWDC conference from Apple? While in the past the main attraction of their presentations was especially the nice design and fine-tuned functionality today it is different. Recently, there has been a significant difference and the topic of personal data protection and security has taken an important place. In the context of several recent scandals, it is gaining more and more attention. Users themselves are also much more interested in companies´ process of sensitive data and how secure this data is with them.

For us at GoodRequest, the topic of safety is always a priority. Not as a phrase, but a natural part of any internal process or project for the client. That is why, as part of our educational process, this year we are focusing on improving the security of our applications and the protection of personal data in them. We have just passed security training focused on the most common vulnerabilities of OWASP TOP 10 web applications. In the following lines, I will explain its course and also the reasons why it pays off or does not to invest in it.

Who is safety training aimed for?

You may say that security does not concern you, because you only implement a thin client – whether a web or mobile application and security are handled mainly by backendists. However, the opposite is true and there is a number of vulnerabilities that are also used by an improperly implemented frontend. The security of the application is a very complex matter and it is necessary that at least the most common vulnerabilities are known to all team members and they know how to protect their application against them. At such a training, you will really see that one single mistake is enough in the most hidden part of the application and it can lead to the compromise of sensitive user data. Therefore, we decided to involve all members of the web team (from absolute juniors to leaders) as well as a representative of the QA department.

What is the course of safety training?

Our trainer was ethical hacker Tomáš. He told a theoretical basis for each point in the OWASP TOP 10 ranking (more on this list at the end of the article) and then we tested the theory directly in practice, by “hacking” test applications designed directly to demonstrate the most well-known vulnerabilities. Of course, there was also a discussion about our technical solutions and their confrontation with Tomáš’s experience.

During the training, we fully realized how important it is to keep up with the times and use the latest available (but also sufficiently proven by the community) technologies. Many attacks are feasible only on older technologies, or their outdated ve

The quality of our technology stack was shown by the fact that we were not able to reproduce any of the tested vulnerabilities on our production applications and the discussion was more on a theoretical level

At this level, we discussed how we could further strengthen our already very secure applications.

what is owasp training

Who is an ethical hacker?

At first glance, the phrase “ethical hacker” may sound like an oxymoron. However, there really are people who, in their spare time, try to improve the security of applications on the Internet without any malicious intent. They point out the vulnerabilities they have identified and are pushing technology companies to fix them as soon as possible. Sometimes they also get rewarded for it (often only symbolic), but the greater satisfaction for them is that they have just managed to reveal this vulnerability rather than hackers from the illegal side of the barricade. Tomas shared with us a few stories from the career of an ethical hacker and it was really very interesting listening.

What are penetration tests and what are they aimed for?

The best protection against vulnerabilities is regular penetration testing of the application, ideally performed at each release for production. We have already had practical experience with penetration tests from Citadelo, as they have tested several applications from our production. We are glad that they have not identified any critical vulnerabilities yet. However, their recommendations helped us to secure the applications even more, even against situations that are currently possible only on a theoretical level, but could become real in the future

Make sure your data hasn’t been stolen (and be prepared to be surprised)

Did you know that you can easily verify that your current password has not been stolen and published on the Internet without your knowledge in the past? On this website, you can find out if your login details have ever been compromised by entering your e-mail address. We were sincerely surprised that each of us was once a victim of such a data leak. That’s why it’s extremely important that you use a unique, strong enough password for each service, or use a password manager. Of course, we recommend using two-factor authorization wherever possible (especially in your primary email inbox).

Try “hacking” on your own

If you want to try some of the vulnerabilities in your spare time, be sure not to do so on production applications available on the Internet. It’s illegal and you could have big problems with it. For this purpose, for example, the DVWA (Damn Vulnerable Web Application) project is used, which contains an application vulnerable to vulnerabilities from the OWASP TOP 10 list, and you can run it, for example, in a virtual machine environment. It contains several levels of difficulty and also instructions on how to go through each of them.

who is ethical hacker

What is the OWASP TOP 10?

The Open Web Application Security Project is an international non-profit organization dedicated to raising awareness of the most common application vulnerabilities and ways to avoid them. Every year, therefore, they publish a list of the TOP 10 most critical vulnerabilities, which are always updated based on current security trends.

This year’s OWASP TOP 10 2020 ranking looks like this:

1. Injection

“Injection” attacks are aimed at misusing untreated (or insufficiently treated) user input – when we blindly believe the data that enters the application and attackers can then use it to gain access to the data or even the entire application. It is therefore necessary to use time-tested methods to treat all application entries and thoroughly test the application for these vulnerabilities after each release.

2. Broken Authentication

This vulnerability is best illustrated by the well-known wisdom of reinventing the wheel. Naively trying to implement your own authentication is practically a guarantee of a successful hacker attack. Rely on a verified standard such as oAuth 2.0.

3. Sensitive Data Exposure

Even if an attacker accesses the contents of the database, it is the responsibility of each developer to protect sensitive user data against further misuse. It is therefore necessary, for example, to protect passwords using the correct asymmetric encryption technology using cryptographic salt and pepper.

4. XML External Entities (XEE)

Although XML technology is no longer the latest trend and its use is gradually declining, by incorrectly implementing XML document parsing, we can very easily compromise our application. Therefore, before using any XML parser, familiarize yourself in detail with its documentation, and if the use of XML is not explicitly necessary, prefer a less complex and thus more secure JSON when communicating.

security training for developers

5. Broken Access Control

Broken Access Control attacks focus on misusing system access rights (such as a non-privileged user login token) to access a protected area that should only be accessible to an administrator. The application backend should verify with each request whether the user has access to the given functionality to secure login tokens against their misuse.

6. Security Misconfiguration

A very common problem is an incorrect misconfiguration the application framework itself, which, in the event of production error conditions, publishes an overly detailed error message that helps attackers in their attempt to break application protection. Before deploying the application, always make sure that you have turned off debug mode, removed all publicly accessible logs and sent only general error messages to users (in no case output directly from the database).

7. Cross-Site Scripting

If application users have the ability to add their own content (such as comments, ratings, etc.), an XSS attack is a very common problem. As with Injection attacks, each user input must be thoroughly validated using the proven tools provided by your chosen framework.

8. Insecure Deserialization

Do you really need to use serialization and deserialization in your application? If so, it is again appropriate to thoroughly study the documentation of serialization libraries and consider all the risks involved.

9. Using Components With known Vulnerabilities

WordPress is the most widely used framework on the world wide web, and most of the vulnerabilities are caused by outdated versions of WordPress itself, but especially by the plugins and libraries they use. Therefore, don’t forget to regularly update all the libraries and extensions in your projects, and also ideally make an overview of whether you really need all these libraries.

10. Insufficient Logging And Monitoring

If someone attacks you, there’s nothing worse than not even knowing about it. The sooner you are informed about a possible attack, the faster you can react to it and reduce its effects as much as possible.

Find out more on the official website of the OWASP project.

Is investing in safety training worthwhile?

Is investing in safety training worthwhile?

From our point of view, the security of applications (and the sensitive data in them) is an extremely important topic today. For a company that develops such a solution, there is no bigger nightmare and worse marketing scandal than newspaper headlines pointing out that you have neglected something and many people have lost their privacy due to your inconsistency. So we think that in this case, entrusting yourself to professionals with many years of experience is an investment that will definitely pay off in the future.

You can also look at the previous lines in the context of the specific applications and web solutions we develop. Thanks to this, you will understand even better why we approach security in such a responsible way and what data we work with in various projects. Take a look at our portfolio. 🙂

Agile is not just a SCRUM. Are you really ready for an agile approach?

co je agilny pristup?

Imagine, that you will open the cookbook and you will choose a recipe (project method/technique) based on what you want to cook (project). 

It would be easy, don’t you think? I think it’s possible to create a set of rules to choose a correct agile methodology. I would say there is more than just a SCRUM. 

How do I make a decision to choose a correct agile methodology for project

There are several inputs to consider. For this article, you need to know the basics of agile methodologies. Let’s start. 

How many people will be on the project

When you got a project then you will start to analyze the requirements and timeline based on the client’s inputs. From this point, you will know how many developers you will need to achieve a project goal. If there will be only 2 developers then I would go with Kanban. The reason is that the project team is too small to use a SCRUM or XP. A good practice is to have 5-9 developers in one SCRUM team. If you have more developers, then you should split one team into 2 smaller teams. If you have less than 5 developers, use different methodologies like Kanban or ScrumBan. 

scrum riadenie projektov

Project timeline

In my opinion a longer timeline means using more stable, transparent and organized methodology. For example if I know that project will run less than 3 months then I would choose Kanban or ScrumBan, even if there will be 9 developers. But if the project will run longer than 3 months I prefer to lead the project by SCRUM.

Project purpose

This point is tricky. You know as I mentioned in previous points which methodology I would use, then this last point is changing it more. When I got a project what we are going to do from scratch or start-up and it requires weekly or even daily changes in priorities then it doesn’t make sense to  me to start a SCRUM. I would go with ScrumBan and later easily switch to SCRUM, when the priorities will be possible to set clearly by product owner for stable sprint period. 

If the project has service/maintenance purpose and you have a backlog but even tomorrow morning you can receive new priorities from a client or new bugs to fix, then I would go with Kanban. 

projektove riadenie v it firme

At the end

These three points are basics and additionally, you have to take into account if your colleagues (developers) are ready for selected agile methodology. If not, then you need to be careful and teach them basics. Encourage and couch them. Communication and explanation is the most useful strategy here. 

Besides colleagues, there is another point you need to take into account also your’s and customer’s company. Both of them need to be aware of the methodology and accept or understand it. Why? This is for another article 🙂

tim a projekty 1 1024x598 - Agile is not just a SCRUM. Are you really ready for an agile approach?

One more thing, do not hesitate to change methodologies over the projects. It’s your comfort zone to use the same processes and methods as before. Just step out and try something new. 

Waterfall was for a long time a good project methodology and now you can see there are numbers of better methodologies that can make your project successful for you and your customer. 

How do you approach project management in your company? Which approach is closer to you and why? Share with me in the comments.

mDev camp: 8 ideas, 60 seconds of reading. What interested us?

mdev camp 2020 - mDev camp: 8 ideas, 60 seconds of reading. What interested us?

The unique year of mDev camp requires a unique report. We decided not to write a detailed summary of the lectures as usual, but each of the Android team will contribute one idea that resonated with him / her.

In the end, it’s a bunch of interesting and inspiring ideas. As something different has stolen everyone’s attention. So let’s do it!

  • The total cost of refactoring is always higher than the complete rewriting. However, the impact on the organization is usually much smaller.
  • Your way of expressing ideas may not be easy for everyone to understand (especially if you express them in a foreign language), which can lead to misunderstandings.
  • TIP: How to limit procrastination on mobile phone? Just turn on the black and white mode and suddenly the brain will find it significantly less attractive.
  • From the psychological point of view, artists and the homeless are quite similar, because they live mainly by the present. But artists are more acceptable for society because, from their point of view, “at least they do something”.
  • What “time” do you live mentally? Zimbard’s time perspective questionnaire answers.
mdev camp 2020 1024x588 - mDev camp: 8 ideas, 60 seconds of reading. What interested us?
  • If you want to make a modular application, think carefully about providing any added value. Make sure it is not overengineering – especially for small projects. Many people are aware of this, but now modularization is IN and that is why they forget about it. 🙂
  • We spend most of our lives at work. If we want our work to be more fulfilling, it is important to see how beneficial our efforts have been for the society.
  • Code generation is useful because it makes people happy. : D
Image from iOS 768x1024 - mDev camp: 8 ideas, 60 seconds of reading. What interested us?

Did you participate in mDevCamp? Which ideas fascinated you? Share with us in the comments. 🙂

How has the pandemic affected the mobile developer’s line of work?

conference in corona times 2000x1200 - How has the pandemic affected the mobile developer’s line of work?

The recent COVID pandemic has affected all of us in one way or another, as businesses were forced to shut down and preventive measures were adopted to flatten the curve.

Despite all, mDev camp starts with a strong community spirit by facing the subject of COVID from the mobile developer’s perspective.

We heard about how the project eRouška, that helped to track and notify users of a possible infection near them, quickly gained in popularity and protected public health in a significant way, and about the challenges this project faced from Jakub Nešetřil from Česko.Digital.

   Followed by a talk from Marc Pous from Balena, a company that is considered an expert in IoT Fleet Management. He talks about using IoT devices to crunch data in simulations for protein folding using a distributed computing network.

AJ5A1372 754x1024 - How has the pandemic affected the mobile developer’s line of work?

   Many devices are not being used to their full potential, be it an old mobile phone or a tablet just laying somewhere catching dust. These could be used in a distributed network to analyze the COVID protein, allowing scientists and doctors to make faster progress in finding potential treatments for COVID-19. One device might not do much but putting a lot of them together in a joint effort can create a powerful network capable of rivaling even a supercomputer. From an ecological standpoint, it gives reusability to the unused device a gives you a good feeling about contributing to something bigger that could save millions of lives.

   Next up was Aleksandra Komagorkina, who is a chemist technologist, who switched to UI/UX design a few years ago, talking about the ultimate guide to battery optimization. She explains that very common operations on the iOS platform like location retrieving, playing multimedia, and more can deplete the battery rather quickly. This can be debugged by using tools like MetricKit, that are embedded in XCode, to help us analyze the flow of the application to avoid these mistakes.

   Optimizing battery usage translates directly into energy efficiency and App performance and responsiveness, and that is also a great reason to convince your project manager to care about battery optimization since it means happier customers, and therefore heartwarming reviews for your app.

   These were just a few of the talks, that you could see during the mDevCamp virtual conference, which was a great opportunity to gather ideas and insights, with the power to have a real, significant impact.

You can read more about the project eRouška here.
To join the fight against COVID from any device of your choice go here.

What do I expect Apple will be after WWDC 2020?

Apple wwdc2020 03132020 big.jpg.large 2x - What do I expect Apple will be after WWDC 2020?

Apple’s largest developer conference is just around the corner. For iOS developers, it’s like Christmas in the middle of June and for the whole mobile and computer industry, it’s the breakpoint that will set the direction for software development in the coming years.

What do you think Apple will be after this year’s WWDC? I think it will be more multiplatform and open. Let me explain.

More multiplatform

Well, multiplatform the Apple way, don’t expect that you will build iOS projects on Android. Instead of that Apple is doing a lot to make development more multiplatform within its own platforms – iOS, iPadOS, macOS, watchOS and tvOS.

Mac Catalyst project

Introduced last year at WWDC, Mac Catalyst provides an easy way to bring iPad apps to macOS with just a click in a checkbox. It further enhances the multiplatform approach which should make development for multiple devices a lot easier and eventually lead to a better app ecosystem. This year we will probably see more iPad apps migrated to macOS and other improvements to Catalyst that may lead to a long-rumored ARM Mac computer.

SwiftUI & Combine frameworks

Last year Apple changed the course on application architecture by adding SwiftUI and Combine into their SDKs. These frameworks provide a more declarative way to build the user interface and handle asynchronous events. Especially the declarative approach is allowing the codebase to be more multiplatform. It was the first step to get rid of the MVC (Model View Controller) pattern that has been baked into SDKs since the first iPhone OS SDK came out in 2008. One year in, there is no doubt Apple will build on top of these foundations and make SwiftUI and Combine even more powerful.

wwdc conference 2020

Xcode in your pocket

With all the multiplatform effort it will be interesting to see if Apple can make development itself more multiplatform. There is some evidence in leaked iOS/iPadOS 14 builds that mobile Xcode is coming soon. We will yet to see how this Xcode integration will work but don’t expect full-featured IDE like on macOS.

More open

Not everybody may notice but Apple is trying to be more open. It probably started a couple of years ago when Swift language went open source. Since then there are other attempts to make the Apple ecosystem more open, for example opening the AirPlay 2.0 standard and Apple TV app to other manufacturers. I think this is a good direction and we will see more openness this year too.

Coronavirus global response

As the situation around the global health crisis is stabilizing, there is no doubt that it will affect large developer conferences like WWDC and the whole tech industry. WWDC this year will be held fully online, that’s no surprise given that all other big companies are moving their conferences online too. Apple already snatched some corona related improvements like unlocking devices using Face ID while wearing a face mask into iOS 13.x releases. Another proof of openness is that Apple collaborated with long-term rival Google on a corona tracking tool for smartphones, which provides an API for contact tracing while maintaining a high level of personal privacy. There may be other features coming in iOS 14 to help tackle pandemic situations, which in the future may occur more frequently than we are used to.

google and apple colaboration

Switch default apps

Another feature a long time coming is switching default apps like the web browser, email client or music player. Something common on desktop or Android, but still missing on iOS and iPadOS. Switching default apps may boost 3rd party apps usage and improve general user experience on the platform. It may further enhance automatization using Siri, Shortcuts and HomeKit across their whole ecosystem.

Continuous stagnation

Over two years ago Apple acquired CI/CD (continuous integration, continuous development) tool BuddyBuild. Nothing has changed since then regarding Apple’s approach to continuous integration and delivery. Also, Apple’s own Xcode Server lags behind the competition with almost no improvements or bug fixes. This year we expect (same as last year) a breakthrough in this field with Apple introducing a service that will connect knowledge from BuddyBuild and Xcode Server.

Missing documentation

Apple is pretty good at documentation… if it writes some at all. Many developers are complaining about the lack of documentation from Apple. There are frameworks and changes introduced in the past years that are still missing any documentation. So this is more of a hope than expectation, that Apple will improve the morale of documentation.

One more thing! There is always some surprise from Apple that nobody expects. What is your tip for this year?

Suit and development. Why are they more similar than you think?

Frame 2 kópia - Suit and development. Why are they more similar than you think?

Why is custom development so expensive? It is a common question from customers who have no experience with development of software project. The great answer to this question is that it is like a custom made suit from an Italian tailor vs regular suit that you can buy in the shopping center.

custom development 1024x576 - Suit and development. Why are they more similar than you think?

A regular suit is great for your prom but you don’t want to have a wedding or business meeting in it. In software development world it means that you don’t need a great custom website when you are startup but good MVP on CMS like WordPress is enough to start.

I have found a lot of similarities when I looked on internet for keyword “Benefits Of Having Custom Made Suit”

Similarities between custom development and great custom made suit

Quality Materials Are Used — Quality code

This is something that is not visible, but having a clean code (code that’s easy to understand and change) can make a lot of things easier for you in the future. Quality of code is assured by good development and QA team.

Fit you better — Custom UX/UI Design

Custom development has more possibilities to make a website visually attractive, easy-to-use, and efficient when it comes to creating a satisfactory user experience

custom UX UI design 1024x769 - Suit and development. Why are they more similar than you think?

You Can Highlight Your Personal Style — SEO

Custom development contributes to landing better SEO positioning on search engines since it’s created from scratch, all the development stems from the primary search engines’ preferences.

Your Clothes Last Longer — Scalability a security

Custom websites are highly scalable, and you can get to where you want to go. Everything depends only on you and your developer. There are also higher security guarantees on a custom website in the face of possible cyber-attacks since generating custom code is less accessible to hackers. Nobody will steal your suit 🙂

custom development price - Suit and development. Why are they more similar than you think?

What about your opinion? Would you add something else? Let us know in comments!

Matter or not? The man-day rate.

men day rate web development 2000x1200 - Matter or not? The man-day rate.

One of the very first question coming from potential clients is what is our man-day rate. Obviously. Money and costs are crucial for any project. It defines the return on your investment and basically defines whether or not the project will be started. This information is definitely important, but is it the most important one? We took a closer look at it and we think maybe it’s not. We put together a list of several factors you should consider and evaluate before man-day rate. Have a look at our top 3 factors based on which you should choose an agency for your next world-changing project 🙂

1. Recommendations

Go through the projects they’ve done. Agency of mid+ size had definitely worked on many projects and some of them might be compared to your solution. Have a look at it. How it looks, how it works. In case of apps check their reviews on Apple appstore and Google play. Don´t build your opinion on case studies only. Case studies give you a great perspective, but give a try and check how those projects work in real life. Download the app, go to the website, and click through it. Ask for contacts on project managers on the client’s side. A serious agency would have no problem giving you those contacts. Calls with relevant clients can give you a better perspective than hundreds of pages of presentations. If you have contacts in that field, try to find some feedback on them within your network. Word of mouth works the best.

SLA  1024x683 - Matter or not? The man-day rate.

2. Long-term aspect

Stop looking on the deal as one time job. Consider it as a long-term relationship. Wanna do it fast and cheap, well then expect quality of that level as well. We all want projects we work on to grow. No matter if it´s from client or vendor perspective. Look for your partner as you would like to work with them for years. Consider if they have done projects in the past which grow from hundreds to millions of users. Are they ready to scale with you, not just from an infrastructure perspective, but also from management & quality perspective. SLA should be the very first thing they mention when you start a conversation about this. Ask them, challenge them, 🙂 if they are ready, their answers will satisfy you.

men day rate development 1024x684 - Matter or not? The man-day rate.

3. Team

It’s people, the team, who create, build and maintain your project. People build the brand of the agency you are planning to work with. Believe it or not people are the most valuable what your future vendor has. And that´s good. Now you need to find out if that team is capable to deliver your project. And if you can work with them with ease. Check them on LinkedIn. Have a look on their skillset, projects they´ve worked on, posts they´ve published and generally what feeling they leave at you. You need experts, but you need teammates as well, a team which would work with you and you can count on. Challenges always come, have A-players on board with you and you will overcome anything. 

man day rate in app development

At the end of the day most important is the value you get from that partnership. Value for you as a client should be ideally defined by some KPIs. I.e. time-to-deliver expected results, complexity of functionalities, quality of the code, quality of the user experience, stability, flexibility of your partner, satisfaction of communication. But some are harder to define, so don’t be afraid to rely on your guts feeling. Man-day rate is important, it tells you a lot. But never underestimate Recommendations, Long-term aspect & Team.

So what do you think? Do you agree? Or your experience is different? Let me know. I’m excited to hear your feedback.

GoodPagerIndicator – our own implementation of indicator for ViewPager2

mobile app development

GoodPagerIndicator for ViewPager2 is ready for your project. 🙂
Tested and ready as version 1.0.0..

What does it offer?

  • Several basic and non-traditional implementations of the indicator for ViewPager2, such as the pie indicator or the indicator that shows percentages.
  • At the same time, it provides several abstract classes that allow you to easily create your own visual for your indicator. They will allow us to supply you with new and new visuals very quickly.
  • All implementations allow you to process swipe and also click events for faster navigation between pages.

GoodPagerIndicator, as the carrier of the name of this library, distributes progress between several dots, not just two adjacent ones. Most libraries do not solve this problem.

You can set the minimum or maximum dot size, color of active or inactive one, interpolators and many other parameters to make your application stand out better.

The library is stored on jitpack.io Thanks to that, it will be easy to use it in your project as well.

You can find all the details and necessary information on our GitHub project.

ic launcher 1 - GoodPagerIndicator - our own implementation of indicator for ViewPager2

IT security through the eyes of a client: How to choose and check a partner for my type of business?

bezpecnost v it 2000x1200 - IT security through the eyes of a client: How to choose and check a partner for my type of business?

Safety requirements, restrictions or regulations vary from project to project. It depends on its complexity, or the industry where the partner operates and where it will find its users.

What is this claim based on? Well, over the course of six years, we have had the honor of making a various range of projects with our partners. Banking, healthcare, biometrics, finances, internal information systems, sport… Each of them has taught us something and for the future, it has given us the answer to a question that we would often like to know earlier.

We will look at the topic through questions that could be interesting for the company or entrepreneur. We will try to share a few (we believe useful) experiences.

The questions are answered by CEO Tomáš Lodňan and CTO Marek Špalek.

1. Why should I think about security as a project sponsor? Shouldn’t it just be the provider?

Of course, security needs to be considered from the scratch. Data is a new currency, so you need to manage it. Would you leave your savings on the street? Probably not. As the operator, you are responsible for the way the data is managed and, in case of a leak or attack, you will also need to inform the competent authorities and bear any penalties. Therefore, I would not underestimate it at all. However, the provider can be extremely helpful to you, so choose one who has experience with it and can advise you.

security in mobile apps

2. What is the absolute basis of data security, which I am not moving anywhere at the moment without?

It is especially important to set the process of data acquisition and processing itself to be the least exposed to the possibility of human failure or other external factors.

In GoodRequest, we have adopted this rule: “You need one place where the truth is. And it’s on the server. ”Keeping the rule pays off for websites and applications. At the same time, it applies to all projects. Especially for those which are really extremely sensitive to data, such as a bank or clinic. Then other special regulations and rules come into play.

In addition, there are principles about the https protocol, data protection throughout their journey, etc. They aren´t definitely unknown for any serious developing company or freelancer.

bank application security

3. Isn´t GDPR unnecessary? Why is it necessary and not only essential for websites and apps?

It’s definitely not unnecessary. Developers or even users confirm it so many times. Many argue that everything needs to be agreed or approved. However, keep in mind that agreement to the processing of personal data is only the beginning of your “relationship” with the service provider, based on this relationship, it then develops how your data will be handled. Imagine not having to do this and your service provider would take any of your data without your knowledge. Consequence? We’ve seen a few in the past. Influencing elections, unfair practices, loss of privacy and so on. Therefore, I personally think that the GDPR is perhaps the most fundamental legislative standard in terms of data security in the last 10 years.

4. What about security for websites as well as apps and information systems? What is the difference?

Security always depends on the sensitivity of the data you work with. The bigger security and protection you want to provide, the more your costs will increase. Simply speaking, it is always necessary to consider what risks the easier solution will bring and whether in the context of the project it will not endanger users, the product, or your reputation. So it is clear that if you are making a banking application or system for a clinic, you are working with the highest level of security available. But with a smaller project where you solve e.g. website for your gallery, encryption, secure communication via HTTPS and a normal level of security are enough for you.

questions about web security

5. Are there differences across sectors? Which have the most significant specifics?

Certainly yes. It would be a very long and extensive response if we addressed each industry, one by one. It is therefore best to consult experts. But keep it simple – the more data, the bigger responsibility. The more sensitive  data, the greater multi-party requirements. One of them is also the state.

6. How to check the provider? What questions to ask and what answers to expect to check qualification and credibility?

The best by means of references. A trustworthy and serious company does not hide them and they are easy to find. It’s a nice springboard for the first survey. However, as they say – you can say what you like on paper and therefore, if you find your “favourite”, I recommend asking for specific references and contact to the person who managed the project with the company. Typically it can be a project manager, a business owner, or a product owner on behalf of a client. They can definitely give you the best feedback on the provider himself. Finally, if it is possible from the point of view of the project and its budget, I recommend hiring a company that does penetration tests so that you have the so-called the other pair of eyes to check it all out.

information system for nuclear medicine clinic

Is the topic of creating websites, applications and access to security in a software company interesting to you? Would you like to know more about how from searching partner, there can be a web or application with millions of users?

Tomáš shared all this in NaRovinu podcast on business.

business it podcast

If you did not find the answer to your question in this interview, or if you have any additional ones, contact Tomáš. You can find his LinkedIn profile right here.

7x Figma plugins that make designer‘s and developer‘s life easier

plugins in figma

It has been a while since our team uses Figma. At the time when we were thinking about a  change we often encountered frequent outages. Since then we have noticed that Figma is constantly getting better. It’s definitely a great replacement of Sketch.

Some time ago we launched plugins in Figma in order to help and simplify the work of designers and developers.

You can find the plugins directly in Figma under the Plugins and install them from there. The advantage is that you don’t have to search and download them from external sites as it was in Sketch.

In this article we have 7 TOP Figma plugins for you which we use and are worth trying at least.

And in this you can meet our UI&UX process in 8 steps. 

Unsplash Figma plugin

unsplash figma plugin

Nice design and pictures go hand in hand. Certainly you have already searched for your design. It is not always easy and it is often a lengthy matter. It takes a while to find a thematically appropriate and high-quality image. The Unsplash plugin ensures that you have images available directly instead of searching them through various portals. It allows you to download free photos directly to Figma from the largest free Unsplash database.

Availability: Unsplash Figma plugin

Autoflow plugin

autoflow figma plugin

As designers we always try to create ordered flow screens with many frames. Alternatively, we try to create a tree structure the so-called flow of the entire design.
It is a lengthy process.
With Autoflow you simply mark two frames from which you want to create a flow. Finally, confirm with one click and it is done.

Availability: Autoflow Figma plugin 

Brandfetch plugin

brandfetch figma plugin

Are you tired of time-consuming searching of corporate logos on websites? Brandfetch will save you a lot of time.
Enter the URL of the company which logo you want to use to the plugin that will generate it for you afterward.

Availability:  Brandfetch Figma plugin

Figma Stark Plugin

stark figma plugin

If you ever had some problem with recognizing the right color contrast ratio, you will appreciate the Stark plugin. You simply mark two overlapped layers and the plugin evaluates by algorithm whether the color contrast is ideal.

Availability: Figma Stark Plugin

ImagePallette plugin

image pallete figma plugin

There are different theories about color palettes and one of them is that the most beautiful color palettes are created from photos. This plugin will help you to generate a color palette from a photo. All you have to do is to tag the image, run the plugin and the palette is born. 🙂

Availability: ImagePallette Figma plugin

Content Reel plugin

content rell figma plugin

Super plugin from Microsoft. Do you sometimes need to fill the design with the real content? Whether it’s a name, email, avatar or phone number – this plugin will speed up and simplify your work.
It simply generates this content for you. They also plan to add various icons for the future. It is worth watching updates.

AvailabilityContent Reel Figma plugin

Android Resources Export plugin

android resource export figma plugin

Use this plugin to quickly export assets for Android. A designer working on mobile applications who often needs to export developers’ assets will appreciate this plugin.
Android resources export prepares assets in both drawable and Nine-patch folders. Except for exporting Nine-Patch you can also export adaptive app icons to the Play Store.

Availability: Android Resources Export Figma plugin

Are you interested in UX / UI design process we have in GoodRequest?Get to know it in 8 steps and don’t forget to write the inspiration or tip in the comment. 🙂

Do you work with Figma and want to improve in it?
Or are you a complete newcomer and would like to create designs in it?

Check out our current Figma workshops.
Looking forward to seeing you there!