How to safely share sensitive data with software developers? Try data mocking.
Marta Zbierska
⋅
⋅
Have you heard about data mocking as a way to safely share data?
Many of our maritime partners worry about security issues while starting new software development projects, especially while using extended development teams. In this article, we skip the basics like an NDA to go directly to what we noticed makes our clients feel much more confident while sharing sensitive data. This article will amplify how to use mocked or fake data to achieve higher security in software development.
Developers do not need to work with real data. Really?
It might be surprising to you that there are situations when developers do not need to work with real data at all. As developers, we have a maritime project where we do not have access to sensitive data from the client’s perspective, like unique IMO vessel numbers, ship manning, user e-mail addresses, and the provisioning budget. However, we still provide increments for our clients.
Read along as further we share details on how we do this.
What kind of data do developers usually mock, and why?
First, let’s share a few facts about mocking data, like what kind of data we usually mock at Setapp.
- A unique e-mail address for a given vessel;
- User name;
- Vessel name or unique IMO number;
- Mannings of the ships;
- The provisioning budget assigned to each vessel;
- Actual earnings of each ship or pool partner.
It is significant to know that developers mostly mock data for practical reasons, not security reasons. An example is when the programmer is working on an interface and needs to mock some data. Fake data here is just used to keep on delivering increments when the database is unavailable for several reasons.
As you can see, mocking data is one of those situations when practical meets other goals like secure development.
Do developers mock data to avoid unnecessary data sharing?
When a developer needs to test a solution, or we are presenting some interface, we mock real data, as we do not need any unnecessary data sharing. Mocking data is just a perfect solution in line with the principle of least privilege (POLP), which is all about the limits of users accessing actual data.
Access to real data is given strictly to people who are required to do their jobs. In this case, when a developer shows the progress of his work to other team members, they only see fake data.
An example of using mock data in a maritime project:
To give a solid example, let’s dive into one of the maritime projects we did and keep enhancing. It is an application for vessel cooks & captains that aims to simplify ordering provisions. As developers, we did not get access to sensitive data like unique IMO vessel numbers, manning of vessels, and the provisioning budget. Jet still manages to deliver increments using fake or mock data.
“ It means that instead of using sensitive information during the development phase of our application. We extensively use fake data to reproduce valid cases for real vessels. As you can see, mocking is simply replicating data to test how the system works. “ – Cristian Demkowicz, Senior Software Developer at Setapp.
What is crucial is that before any coding can start, our service delivery managers discuss what kind of data is fragile from the client’s perspective. Together We establish a set of rules and security solutions to protect this sensitive data.
“Our development teams incorporate security into every software development life cycle phase by constantly asking questions and testing our solutions for all security situations and user requests. Our goal is to achieve the best security and avoid any data leaks. ” – Paweł Paszkiewicz, Managing Director of Setapp.
How exactly do developers use fake data to replace real data like user names or e-mail addresses?
In this paragraph, let us share more examples of how we work with fake data in our maritime projects. Firstly see the below illustration, which explains how mock data differs from real.
- We use a custom faker solution that allows working through RFQ (requests for quotation). This process fakes the potential response from the provider. That includes product price adjustments or the removal of some order items that were not available in the given ports.
- Therefore thanks to this solution, we can test our code risk-free while always being compliant with our customers’ internal systems.
- Most of our application is covered in integration tests. That is to say, these tests allow us to utilize mocked data without human intervention. This way, we can test every change that comes to the product regarding critical journeys for the customer.
- We depend on the external service of auth0 to perform authorization into the application; as a team, we’ve decided to enforce MFA(multi-factor authorization) for all users to increase security. Using well-known solutions is a proper secure development technique.
What does mock or fake data look like? - Perhaps you are curious about how these fake data look alike. Developers create fake data that resembles the original as close as they can. If it should be a number, it will be a number; if we mock the name of a vessel, it will be a word—just a fake one, like Mr Bean or Captain Jack.
- Most importantly, the value of fake data is never even close to the actual production data, which is essential in completing day-to-day maritime operations. In this sense mocking data is like deaconing.
Mocking data – a secure development technique
Above all, this whole work with fake or mock data is in line with the secure development techniques, which is all about using well-known libraries and solutions instead of developing on one’s own, let’s say, authentication tools.
Secondly, mocking data is not a new thing it has been used for practical reasons by developers worldwide. It is consistent with the least privilege rule, as you can avoid unnecessarily sharing real data thanks to mocking data. Basically, using real data is limited to minimum situations – in most cases, you would instead use fake data than real data.
At Setapp, we generally avoid reinventing the wheel. Therefore we use what has already been tested and audited. This refers to using mock data that is beneficial for practical and security reasons.
Real data changed into fake data – how do you feel about this?
Having said it all, I hope this article makes you feel more comfortable while sharing data in your software development projects.
At Setapp, we understand how important secure development is for the maritime industry, and iteration after iteration, we’re looking for better ways to deal with the case of sensitive or private data. We’re always open to learning more to make our customers feel safe about sharing data.