Security: Why Game Developers Should Take it Seriously
Thanks to every increasing ease of internet access, many computer games are now played online, whether on a console, smartphone or a computer. The massive rise in uptake of MMO games and the desire to compete with other players around the world have also given rise to the added need for increased security concerns. Especially when you add this to the now commonplace purchasing of in-app purchases, and our financial details being regularly given online. This offers an open opportunity for cyber crimes. Gaming, being as big as it is worldwide, makes it a real target.
There is a common recurring problem faced by game developers when we talk about online gaming. Before we could start playing, online games usually require us to create an account filled with our personal information, our avatar information, and possibly our financial payment details. Having these details out on gaming servers can make us vulnerable targets if the system is poorly constructed. It may also be familiar to hear news of hacked games like the known online game League of Legends where millions of player account information and banking details were stolen; another case was when thousands of Minecraft player accounts and passwords were leaked and published online. This is actually not the fault of any of those game producers, but is just a simple sign of the times. The same quality of programmers that build AAA games also exists in the world of illegal hacking. That’s probably a fact that will never go away.
There are steps, however, that you can apply to your development stages to mitigate the risks and protect yourself from 99% of hackers out there. Doubtful game security system will mean gamers stop playing or avoid the game entirely. No one wants to lose profit and customer loyalty. Which is why it is necessary for the internal security features of the game to be reliable.
Even if gamers value data security, it is ironic that most gamers are not aware of the security protocols online or how security breaches like phishing, password stealers, fake crack files and fake apps are done by hackers, thus letting them fall victim to these dangers. Online servers are one of the most targeted factors online due to the amount of sensitive data it holds. Securing your web server is as important as ensuring your game application. Having a secure application but an insecure server, or vise versa, still puts your game at a huge risk. Creating a secured server may be a daunting task, but it is not an impossible task.
Below are some security measures to follow to protect your servers:
As much as possible, administrators of the game should log in to the web servers locally. One must also make sure that the connection is secured correctly. This uses security tokens and with a restricted sign-in. Ideally, it is not recommended to open sensitive game admin information through a public connection or a public computer. SSH Key, which is similar to remote access, can be used as well. Setting up the SSH Key authentication will also allow you to disable password based authentication. It also has more bits of data than a password, meaning there are more combinations. Many SSH key algorithms are uncrackable because they require too much time to run through possible matches.
Firewalls are software or hardware appliances which control servers that are exposed to the network. They block access to every port except for those that should be publicly available. A properly configured firewall serves as an extra layer of protection, limiting the components that are vulnerable to exploitation.
File Auditing and Intrusion Detection System
It is beneficial to be able to perform file level audits which can be done periodically by the administrators. Intruders will want to remain hidden for a prolonged period. Using this will allow you to be sure that another user or program has made no changes. An audit of the filesystem will tell you if any files have been altered.
Security and the QA Process
Any software system security should be considered throughout the entire lifecycle of the project. Regardless of the target of your software, data confidentiality, integrity, authentication and authorization are the foundations of user trust. QA testing services should comprise of localized and network security measuring aimed to assess vulnerability and risk. This also goes beyond product launch and can extend into support maintenance and regression testing with the development of your software over time and version iterations.
The mobile device market continues to expand year on year. With the ever increasing demands on mobile functionality and relied usage, the concerns for target security have never been higher. The introduction of payment systems, ID authentication, and even fingerprint and eye recognition, have moved the mobile device from a simple lifestyle aid to a business and finance capable tool. This is ever increasing the need for security testing.
Product Specific Security
As with all testing protocols, full product assessment can be customized to fit your specific needs and concerns. Your platform integration may be unique and taking advantage of the latest payment or authentication technologies. Therefore, it may not always be best to proceed with a prefabricated series of security testing systems, no matter how good and trusted they may be. Testing assessments can be customized to fit your hardware, network, and high-level security concerns.
If you know your end product will require passing a specific certification, we can include custom test parameters to encompass this. Avoid the delays and cost ramifications of a ‘revert to design phase’ scenario. Should you already know your product will require ISO, IEC, PCI DSS or Section Compliance, allow this to be designed into your testing criteria to build confidence and receive detailed alteration suggestions from an early stage.
We have tested and developed multiple in-depth automation scripts that test the most commonly found vulnerabilities in web, mobile, and server based software. This rigorous automated attacking is designed to highlight early security concerns.
We apply whitehat ethical hacking procedures to test the weak points of your software. Security specialists apply various methodologies designed to break the security of your product, helping further security feature suggestions and product enhancements. This goes beyond the normal data integrity and authentication testing and aims to simulate a direct black hat hack attempt.