The legal industry is built on trust, confidentiality, and carefully handling of sensitive client information. However, this reliance on sensitive data has made law firms a prime target for cyber-attacks. From personally identifiable information (PII) to financial records and intellectual property, the data managed by law firms is invaluable—and vulnerable.

A single cybersecurity incident can lead to devastating consequences: loss of client trust, legal repercussions, and significant financial penalties. Yet, many legal professionals remain unsure about how to strengthen their cybersecurity.

In this guide, we’ll explore cybersecurity for law firms, focusing on essential steps to protect your law firm’s data, maintain client trust, and ensure compliance with regulatory standards.

Key takeaways

• Understand the unique cybersecurity risks law firms face.
• Implement strong passwords and secure access management.
• Develop a robust incident response plan.
• Leverage advanced technology like Virtual Private Networks (VPNs) and cloud security tools.
• Stay compliant with data protection regulations.

The cybersecurity threat landscape for law firms

Cybercriminals increasingly target the legal industry, and the numbers are alarming. According to an American Bar Association (ABA) study, 29% of law firms experienced a cybersecurity breach in 2023. These incidents lead to downtime, lost revenue, and long-term damage to a firm’s reputation.

Phishing attacks

According to the Verizon Data Breach Investigations Report, phishing is one of the most prevalent cyber threats, accounting for 36% of data breaches. These attacks typically involve fraudulent emails that trick employees into sharing sensitive information, such as passwords or client details.

Ransomware

Ransomware attacks involve malicious software encrypting a firm’s data, rendering it inaccessible until a ransom is paid. Even after payment, there’s no guarantee that data will be restored.

Insider threats

Insider threats can arise from employees or contractors misusing their access to sensitive information. This may be intentional, such as data theft, or accidental, like falling for a phishing scam. Insider threats can compromise client confidentiality and result in significant financial or reputational damage.

Advanced Persistent Threats (APTs)

APTs involve prolonged and targeted attacks where hackers gain access to a firm’s network and remain undetected for extended periods. Continuous access and exfiltration of sensitive data make these threats particularly damaging.

Data breaches

Data breaches occur when unauthorized individuals gain access to sensitive information. These breaches can result from weak security protocols, outdated software, or employee negligence. It can lead to legal penalties, loss of client trust, and significant financial consequences.

Business email compromise (BEC)

BEC is a form of phishing attack that involves cybercriminals impersonating a trusted individual or entity to deceive employees into transferring funds or sharing critical information.

Real-world examples: A wake-up call for the law sector

In November 2023, Allen & Overy experienced a ransomware attack that affected a small number of storage servers. The attackers threatened to publish sensitive data unless a ransom—potentially between $51.5 million to $76 million—was paid. Although the firm’s core systems were unaffected, operations were disrupted, and clients had to be informed about potential threat to data security.

Similarly, a cyber-attack exploiting a vulnerability in the MOVEit file transfer software impacted multiple law firms, including Kirkland & Ellis and Proskauer Rose. This attack significantly disrupted conveyancing practices, delaying property completions and causing operational chaos.

The number of successful cyber attacks against US law firms has increased significantly in recent years. In the first five months of 2024 alone, 21 firms filed data breach reports with state attorneys general offices, compared to 28 breach reports filed in total for the previous year. This represents a substantial increase in the frequency of reported incidents.

The legal sector has faced escalating ransom demands from cybercriminals. The average ransom demand following an attack on a legal firm is $2.47 million, although the average ransom paid is lower at $1.65 million. These astronomical figures highlight the severe financial risks law firms face from cyber-attacks.

Why law firms are attractive targets

Law firms occupy a unique position as gatekeepers of highly sensitive and valuable information, making them prime targets for cybercriminals.

Here’s why they’re often in the crosshairs:

1. Volume and sensitivity of client data. Legal firms handle many personally identifiable information (PII), financial records, and other confidential documents. This makes them a gold mine for attackers looking to commit identity theft, financial fraud, or corporate espionage.
2. Handling intellectual property and mergers. Many firms manage intellectual property portfolios, trade secrets, and high-stakes mergers and acquisitions. If stolen or exposed, such data could disrupt billion-dollar deals or give competitors an unfair advantage. Cybercriminals, including nation-state actors, often target these assets for profit or strategic gains.
3. Reliance on cloud platforms. As the legal industry increasingly adopts cloud-based solutions and supports remote work, vulnerabilities in these platforms become exploitable. Without strict data security measures, cloud misconfigurations, phishing attacks, and unauthorized access can expose confidential information.
4. Weaker security infrastructure. Despite managing high-value information, many law firms—especially smaller ones—lack robust cybersecurity defenses compared to other industries. Limited IT budgets and insufficient awareness of evolving cyber threats increase their vulnerability.

The fallout of a cyber-attack on a law firm can be devastating, both financially and reputationally:

• Legal and financial liabilities: Firms may face lawsuits, regulatory fines, and substantial costs to recover lost data
• Loss of clients and revenue: A breach erodes client trust, often resulting in loss of business and damaged relationships
• Reputation damage: Rebuilding a tarnished reputation in a trust-driven industry like law is exceptionally challenging

By understanding their unique vulnerabilities and implementing strong cybersecurity practices, law firms can reduce risk and protect their clients’ sensitive information.

12 law firm cybersecurity best practices

To protect your firm’s cybersecurity and reputation, consider implementing these law firm cybersecurity best practices:

1. Develop a comprehensive incident response plan (IRP)

A robust IRP outlines the steps to take during a cyber-attack or data breach, ensuring a swift and effective response. Include clear roles, communication protocols, and procedures for mitigating damage. Regularly test and update the plan to reflect evolving threats and organizational changes.

2. Train employees on cybersecurity awareness

Human error is one of the leading causes of cyber incidents. Conduct regular training sessions to teach staff how to identify phishing emails, handle sensitive information securely, and adhere to data security policies. Tailor training to address specific threats that law firms face, such as social engineering attacks targeting confidential data.

3. Enforce strong password policies and use password management tools

Weak or reused passwords are a common vulnerability. Require employees to create strong, unique passwords and encourage the use of password managers to simplify secure authentication. For example, NordPass’ password management solutions provide easy-to-use tools that ensure compliance with password best practices.

4. Secure remote access with VPNs

As remote work has become standard, ensuring secure network access is crucial. Use VPN solutions like NordLayer’s Site-to-Site VPN to create encrypted tunnels that protect your firm’s systems and data from external threats. This safeguards both remote employees and sensitive communications.

5. Regularly back up critical data

Frequent backups protect your firm from data loss due to ransomware or accidental corruption. Store backups in secure locations, such as offsite servers or encrypted cloud platforms. Test backup integrity periodically to ensure data can be restored quickly if needed.

6. Implement multi-factor authentication (MFA)

MFA adds an essential layer of security by requiring users to verify their identity using two or more factors, such as a password and a one-time code. This makes it significantly harder for attackers to gain unauthorized access.

7. Encrypt data in transit and at rest

Use encryption protocols like AES-256 and ChaCha20 to protect sensitive law firm data while it is transmitted and stored. This ensures that even if unauthorized users get access to the data, they can’t read it.

8. Migrate to the cloud with a security-first approach

Cloud services offer scalability and flexibility but come with unique risks. When transitioning to the cloud, implement robust security measures such as access controls and encryption. NordLayer’s cloud access solutions provide a secure environment for managing and protecting your firm’s resources.

9. Comply with data protection regulations

Adherence to legal frameworks like GDPR, HIPAA, or industry-specific requirements is vital to avoid legal penalties and protect client trust. Conduct regular audits, review compliance measures, and ensure third-party vendors meet regulatory standards.

10. Monitor systems and apply updates regularly

Outdated software is a common target for attackers. Establish a schedule for monitoring, patching, and updating all systems and applications. Use automated tools to identify vulnerabilities and prioritize critical updates.

11. Establish role-based access controls (RBAC)

Limit access to confidential data based on employees’ roles and responsibilities. Implement the principle of least privilege, ensuring that users can only access information necessary for their tasks. This minimizes the risk of insider threats or accidental exposure.

12. Partner with cybersecurity experts

Collaborate with experienced network security providers like NordLayer to implement tailored cybersecurity measures. Their expertise can help you stay ahead of emerging threats and adopt advanced technologies, protecting client data and critical systems.

Technology solutions for law firm security

Technology plays a key role in strengthening cybersecurity for law firms. By using advanced tools and solutions, legal practices can stay ahead of the lurking threats.

• Cloud security solutions. As legal practices increasingly migrate operations to cloud environments, it becomes equally important to secure those platforms. Network security solutions like NordLayer ensure that sensitive information remains protected, even remotely accessed. Features such as secure network access controls, data encryption, and activity monitoring help prevent unauthorized access and data breaches, keeping your law firm compliant and safe.
• Virtual Private Networks (VPNs) for remote work. Remote work has become a standard in the legal sector, but it also introduces new cybersecurity challenges. VPNs create encrypted tunnels to safeguard sensitive communications and data transfers, ensuring seamless and secure connectivity for legal teams—whether in the office or on the move.
• Advanced access control solutions. Access control is a critical component of legal cybersecurity. NordLayer’s flexible access control tools, including Zero Trust Network Access (ZTNA), restrict access to sensitive resources based on user roles and authentication. These tools minimize the risk of unauthorized access, even if login credentials are compromised.
• Device Posture Security. Validating endpoints for compliance with security protocols helps reduce risks posed by compromised or unsecured devices. This feature ensures that only trusted devices access a law firm’s network.
• Cloud Firewall for enhanced protection. NordLayer’s Cloud Firewall enables firms to define and enforce strict access policies, ensuring only authorized traffic reaches critical systems. This tool prevents unauthorized access, blocks malicious threats, and provides visibility into network activity to safeguard sensitive legal data.

Tailored cybersecurity for law practices

Cybersecurity in the legal sector requires solutions that address the unique challenges of handling law firm’s data, intellectual property, and regulatory compliance. NordLayer cybersecurity solutions for law firms offer tailored tools to meet these needs:

• Virtual Private Networks (VPNs): Secure remote access for legal professionals with encrypted tunnels, allowing teams to work confidently from anywhere
• Zero Trust Network Access (ZTNA): Restrict access to critical systems and data using a “trust no one, always verify” approach, ensuring only authorized personnel can interact with sensitive resources
• Device management and monitoring: Track, validate, and secure all devices accessing your network, ensuring endpoint security across the firm

Cybersecurity is essential for all law firms, regardless of their size. Whether you run a small, medium, or large practice, protecting client trust and critical data is non-negotiable. With NordLayer’s cutting-edge tools, your firm can stay ahead of cyber threats and maintain robust security standards.

NordLayer now integrates with ConnectWise PSA™, certified by the ConnectWise Invent program. It makes billing, invoicing, and company management easier for MSPs with smoother, automated workflows.

Key takeaways

• Simplified billing and company management. MSPs can map companies and products, sync usage data, and make invoicing easier
• Reliable partnership. MSPs can enjoy automated workflows and security standards you can rely on
• Certified integration. NordLayer’s integration with ConnectWise PSA™ is certified for secure use

Why ConnectWise PSA™ integration is a big deal

NordLayer’s integration with ConnectWise is a major improvement. ConnectWise, a leading software company, has supported IT solution providers for SMBs worldwide for 40 years.

MSPs use Professional Services Automation (PSA) tools like ConnectWise to manage client issues, assign tasks, and monitor performance. These tools save time, improve organization, and ensure quality service. With over 24% of the PSA and Remote Monitoring and Management market, ConnectWise is essential for MSPs to manage operations effectively. Certification by ConnectWise means NordLayer passed a security review, ensuring safe and reliable operation.

How the integration works

To configure the integration, create API members with the right permissions in ConnectWise and generate API keys. Then, enter these API details in the NordLayer MSP admin panel.

Features:

• Import and map your ConnectWise PSA™ companies and products to the NordLayer MSP admin panel
• Automatically update ConnectWise PSA™ with monthly subscription usage for each mapped company
• Keep billing and invoicing accurate with updated usage data, so you don’t need to enter it manually

See step-by-step instructions to integrate NordLayer with ConnectWise PSA™.

Why partner with NordLayer?

NordLayer helps MSPs and MSSPs grow revenue with secure, smart solutions. Our distributors, including Pax8, Ingram Micro, BlueChip, and Version 2, make it easier for MSPs to access and deliver our services.

We recently surveyed our partners and proudly received a 9/10 satisfaction rating. They love how easily NordLayer integrates, the reliable support, and the potential to boost revenue—all while keeping clients secure.

MSPs and MSSPs benefit from:

• High-profit margins with flexible pricing
• Scalable services and post-paid monthly billing
• Dedicated training and fast support
• No upfront investment

Why can unskilled cybercriminals now run sophisticated attacks? Will cybercriminals outpace us in an AI arms race? And what is the next big thing in cybersecurity in 2025?

We asked Mary D’Angelo, a threat intelligence and dark web expert, for her insights on emerging cyber threats and how businesses can prepare to protect themselves.

The interview’s highlights

• AI and cybersecurity in 2025: 2025 is definitely going to be an AI arms race, with cybercriminals versus us.
• Key industries under attack: Financial, healthcare, and manufacturing will still be the hardest-hit sectors.
• The kill chain, cybercriminal tactics: Cybercriminals often follow the cyber kill chain, starting with gathering intel and ending with data exfiltration.
• Moving “left of boom” with threat intelligence: Threat intelligence lets you disrupt attacks during the reconnaissance phase before they escalate.
• The importance of proactive defense: No business is too small to be attacked, so businesses should make it more difficult for cybercriminals.

Cyber threats in 2025

Key insight #1: 2025 is going to be an AI arms race, with cybercriminals vs. us

NordLayer: As we closed 2024, what was the most common cyber threat?

Mary D’Angelo: The most common threat has been ransomware and other financially motivated attacks, a trend that is likely to continue in 2025. These attacks will become even more common because of the lower barrier to entry. Now, even relatively unskilled hackers can access different tools, like AI and malware, to run sophisticated attacks.

An example of this is the Lockbit source code leak that happened early in 2024. Many cybercriminals gained access to it, made minor tweaks to the code, and then deployed it onto their victims’ networks.

NordLayer: Gartner predicts that 25% of breaches will involve AI by 2028. What are the emerging threats in 2025 we should brace for, in your opinion?

Mary D’Angelo: I saw that stat, too, and I thought it was a really, really low number. From the research that I’ve done and the attacks that I’ve seen, most already include some level of AI. So by 2028, I think most attacks, not just 25%, will be using AI. 2025 is definitely going to be an AI arms race, with cybercriminals versus us.

Deepfakes will definitely be a huge one. Fake videos will be mostly used for social engineering tactics, and even phishing attempts will be automated by AI. For example, the content of phishing emails will seem much more authentic.

Another thing is AI-powered malware. It’s very sophisticated and can evolve based on the environment it’s in, making it harder to detect and neutralize.

There are also AI-poisoning tactics. As the name suggests, these involve manipulating AI models in security systems so that they produce incorrect results in cybersecurity operations. It’s a bit like the cat-and-mouse game, really.

NordLayer: These AI threats mean companies need to be more proactive. With cybercrime expected to cost $13.82 trillion by 2028, which industries will be hit hardest next year?

Mary D’Angelo: I think it’s the same as in 2024, so financial, healthcare, and manufacturing. Financial because it’s the most lucrative. Healthcare is often low-hanging fruit. Threat actors know it is stretched thin without the budget and resources to adopt better tools. However, healthcare has incredibly valuable data, which will always be a target. Manufacturing is at risk, too, mostly due to shadow IT and legacy systems. The infrastructure is often outdated, making it easier for threat actors to exploit.

However, there are attackers with a moral code. Some won’t target hospitals because of the ethics behind it. But they’ll justify attacking banks and large financial organizations. So, the financial sector will always be a top target.

Key insight #2: Bad actors typically use the cyber kill chain approach to carry out attacks

NordLayer: How do cybercriminals typically plan their attacks?

Mary D’Angelo: When you say cybercriminals plan their attacks, I think that gives them too much credit. They’re usually financially motivated, opportunistic, and sporadic. They’ll do research on who they want to target, but it’s not incredibly thorough because they look for the easiest prey and easy money.

NordLayer: And what tactics do cybercriminals use?

For their reconnaissance, they’ll go into the dark web, where many initial access brokers sell credentials at a decent price. But they follow what is called the cyber kill chain. It’s like the steps a threat actor takes to achieve their objective. The kill chain is basically six or seven stages, but it always starts with gathering intel. Then you have weaponization, where you develop the weapon you plan to use. Then, you have your command and control stage. Finally, data exfiltration or the attack.

NordLayer: The cyber kill chain is the hackers’ playbook, right?

Mary D’Angelo: Yes, the MITRE ATT&CK framework does a great job of defining the tactics a threat actor uses when trying to exfiltrate data from a network. Cybercriminals often don’t deviate from their playbook because it works. As the saying goes, if it ain’t broke, don’t fix it. They’ll try new approaches only when access is taken away from them, forcing them to start over.

It’s unfortunate, but organizations often fall behind because they lack the resources to implement better detection and response tools. Smaller organizations, including hospitals, don’t have those resources and hence are more vulnerable.

NordLayer: Given the threats and hacker tactics we’ve just discussed, what are the top 5 challenges businesses face this year?

Mary D’Angelo: Patching, technical debt, and legacy systems will be big challenges. Cloud security is still in its infancy for many organizations, so we’ll need to work on it collectively. Exposed and misconfigured vulnerabilities within systems also need attention.

Threat-specific responses

Key insight #3: “Moving left of boom” lets you stop attacks before they start.

NordLayer: How can threat intelligence solutions and security solutions work together to prevent cyber threats?

Mary D’Angelo: When it comes to threat intelligence, there are three buckets: tactical, operational, and strategic. If these three work alongside security operations, they can help you be more defensive rather than constantly reacting at the last minute. This way, you’re not always on the edge of your seat when threats or attacks come in.

Tactical threat intelligence helps security operations by providing background on indicators of compromise and ongoing threats. Strategic threat intelligence is about planning for the year. Executives will identify the ransomware groups more likely to target their organization and their tactics, then build a defense plan for the year to stay strong against them. Operational intelligence is about the day-to-day, ensuring your business has the right intel to respond effectively.

Most security tools don’t alert you until stages two or three of the kill chain. The advantage of dark web intelligence and threat intelligence is that you can be alerted at the very first stage—during the reconnaissance phase. This is when threat actors are doing their research to identify their next victim and how they plan to attack. By catching the threat early, you disrupt the cybercriminal, forcing them to start over with someone else.

That’s why threat intelligence is a powerful tool for organizations if done correctly and made actionable.

NordLayer: Threat intelligence has the power to break this cyber kill chain. How does it work?

Mary D’Angelo: Organizations often track their key criminal groups through strategic threat intelligence. For example, if I were in healthcare, I’d focus on the threat actors targeting the healthcare industry and understand their tactics and techniques. Once I identify these groups, I can set up systems to detect their activity.

A good analyst tracking the right dark web forums and marketplaces might come across an initial access broker selling credentials for a hospital. These brokers are very sneaky—they don’t directly name the hospital but mention the industry and the company’s revenue size. But if you’re sharp, you can identify the target hospital.

Once you know the attack is targeting you, you’re ahead of the game. The broker sells privileged access to the hospital, which could lead to a breach. By spotting this early, you can take action to mitigate the threat.

We always say “move left of boom,” a military term. It’s about getting as far left on the kill chain as possible. Instead of being alerted at stage three, when you’re panicking, you can act early and prevent the attack before it escalates.

NordLayer: So moving to the left of the kill chain also means always upgrading your security?

Mary D’Angelo: Yes, absolutely. Stressing that no business is too small to be attacked is never enough. So gear up for it and make it more difficult for cybercriminals.

NordLayer: Thank you very much for your insights.

Mary D’Angelo is a Cyber Threat Intelligence Solutions Lead at Filigran, where she focuses on democratizing threat intelligence. She started her career at Darktrace before joining Searchlight in 2021.

Outside of work, Mary is dedicated to supporting child safety initiatives through the Innocent Lives Foundation. She’s passionate about sharing her knowledge and continuing to learn as the cybersecurity field evolves.

How can NordLayer help?

Cybersecurity can feel overwhelming, but it starts with building awareness of safe digital practices. From there, focus on easy-to-deploy tools or partner with an MSP or MSSP to protect against opportunistic attacks.

NordLayer is a toggle-ready platform that offers comprehensive security to protect your business. Our solutions include:

• Threat Prevention to stop malicious downloads or prevent access to harmful websites
• Business VPN for secure remote work
• Cloud Firewall for robust network access controls

We also recommend multi-layered Zero Trust Network Access (ZTNA) policies for stronger network protection. Need help? Our sales team is always ready to guide you every step of the way.

Monitoring the dark web is crucial for staying ahead of threats. This is where NordStellar comes in. It tackles vulnerabilities during the reconnaissance phase of the cyber kill chain.

The platform automates key security tasks, such as:

• Dark web monitoring to track company-related risks
• Leaked data management to protect employees and customers
• Attack surface assessments to identify and mitigate potential weaknesses.

Together, NordLayer and NordStellar provide a proactive, multi-layered defense to protect your business.

Cyber-attacks are growing more frequent and damaging. Critical sectors like healthcare and education are common targets. Threat actors are quick to exploit weak software. This leaves companies and users struggling to keep up. But there’s a better approach: build security into software from the start.

In 2023, CISA launched its Secure by Design campaign. It highlights the need for secure software development and corporate accountability. High-profile breaches like SolarWinds and Kaseya show the risks of weak defenses. They also show why software makers must take the lead on security. 

This article will explore software development security best practices. It’s based on CISA’s guidelines and Secure Software Development Lifecycle ideas. Following these practices reduces risks and builds stronger, safer systems.

Why secure software development matters

Everyone agrees security is critical in software development, yet it’s often unclear how to achieve it. Without secure processes, businesses risk deploying vulnerable applications that bad actors can exploit.

Vulnerabilities by design

Technology powers every aspect of modern life. Internet-facing systems connect critical functions like healthcare and identity management. These innovations improve convenience but also create significant risks. Cyber-attacks have disrupted hospitals, leading to canceled surgeries and delayed care. A single flaw can let attackers exploit systems, threatening lives and data.

Secure software development tackles these risks by focusing on security from the start. Manufacturers who adopt secure design principles take responsibility for reducing risks. Features like default encryption and user authentication ensure fewer vulnerabilities for users.

Historical challenges with patching

Relying on patches after deployment creates extra work for users. For example, if a security flaw is discovered, customers must apply the fix themselves. This process can take time, leaving systems exposed to cyber-attacks. A real-world example is the WannaCry attack, which exploited unpatched systems worldwide.

Secure by Design addresses these challenges by fixing vulnerabilities before product launch. For instance, testing software for common weaknesses, like injection flaws, reduces the need for patches later. This approach aligns with secure software development lifecycle practices, saving time and boosting trust in the software.

Secure by design principles

Secure by Design means building security into every product from the beginning. A good example is adding multi-factor authentication (MFA) as a standard feature. It ensures users have a second layer of protection beyond passwords. Another example is setting safe defaults, like requiring strong passwords or enabling automatic updates.

Manufacturers should also follow software development security best practices, such as performing risk assessments during development. This step identifies potential threats and includes defenses against them. For instance, a defense-in-depth strategy can add multiple layers of protection, like firewalls, secure access controls, and network monitoring tools.

Reducing customer burden

Good software should make security easier for users. For instance, automated updates prevent users from forgetting critical patches. Another example is providing built-in network monitoring tools that alert about potential issues without manual setup. These features contribute to cloud security and cybersecurity resilience.

Manufacturers can also provide clear instructions to users. For example, warning users when they change secure default settings helps maintain safety. By easing the burden on customers, manufacturers ensure better protection and fewer missteps. Conducting security awareness training for users can further enhance security.

Leading by example in secure software

Some companies set the standard for secure development by making it a priority. For example, they use features like Cloud Firewall to support network segmentation. This strengthens security in development environments by blocking unauthorized access. It helps protect users, safeguard intellectual property, and improve access controls.

A strong example is a company implementing Zero Trust Network Access (ZTNA) to limit system access. By requiring users to verify identity and devices, they reduce risks. Such practices, combined with secure coding practices, highlight the value of adopting a secure software development framework.

Common cyber-attacks for software development

1. SQL Injection

SQL injection (SQLi) is a dangerous cyber-attack targeting databases. It happens when bad actors add malicious code to input fields. This trick lets them bypass normal security checks and access data. For example, they can use a login form to steal sensitive information. SQL injection remains one of the most common web application vulnerabilities.

The impact of SQL injection is severe. It allows attackers to steal or delete sensitive data. In some cases, they can even take full control of the system. For example, an attacker might enter “OR 1 = 1” into a login field. This tricks the database into granting access without a password. According to reports, SQLi attacks accounted for 23% of major vulnerabilities in 2023.

Organizations handling sensitive data are prime targets. SQL injection attacks can expose personal records, financial data, and trade secrets. For instance, an attacker could use SQLi to steal customer payment information. In extreme cases, attackers have deleted entire databases. Such attacks often result in financial loss, lawsuits, and reputational damage.

SQL injection can also exploit error messages to learn about a system. Some attacks use “stacked queries” to execute multiple commands at once. For example, “DROP TABLE Users;” can delete critical data. In another example, attackers might extract usernames and passwords using the “UNION” SQL operator. This type of attack affects industries like retail, travel, and finance the most.

Preventing SQL injection requires strong secure coding practices. Developers should use prepared statements and validate all user input. Web application firewalls (WAFs) add an extra layer of defense. Regular security audits and vulnerability scans help catch issues early.

2. Command injection

Command injection is a critical software vulnerability. It lets attackers run harmful commands on systems. These commands can grant unauthorized access or full system control.

This issue arises when user input isn’t validated properly. Attackers craft input to manipulate how commands are executed. For example, CVE-2024-20399 involved crafted input to exploit Cisco NX-OS software. This allowed attackers to execute commands with root privileges.

The CVE-2024-20399 flaw affected many Cisco devices, including Nexus and MDS switches. A China-linked group called “Velvet Ant” used it in a cyber-espionage campaign. They targeted network devices to maintain long-term access to organizational systems.

Secure design practices, like input validation, can prevent these issues. Separating commands from input can reduce risks and stop attackers from exploiting systems.

3. Cross-site scripting (XSS)

Cross-site scripting (XSS) is a common vulnerability in web applications. It happens when an application does not validate or sanitize user inputs. This allows bad actors to inject malicious scripts into the application. These scripts can then run on the browser of another user.

Attackers use XSS to manipulate or steal user data. For example, they might inject code into a comment section on a website. When another user views the comment, the script could steal their session cookies. These cookies can give attackers access to the victim’s account. XSS can also redirect users to fake login pages or load harmful files.

XSS is a big problem because it is widespread and preventable. A report from the Open Web Application Security Project (OWASP) lists XSS as one of the most common web application security issues. Proper input validation and using secure coding practices can stop these attacks. Modern web frameworks also help by encoding data to prevent malicious code execution.

Businesses need to take XSS seriously because it can harm many users. One mistake in code can expose millions of people to risk. Regular code reviews, automated tools, and aggressive security testing can help eliminate this threat. Addressing XSS early in the secure software development process is essential to protect applications and their users.

4. Exploitation of known vulnerabilities

Bad actors often exploit known vulnerabilities in software, tracked by unique IDs called CVEs (Common Vulnerabilities and Exposures). These vulnerabilities are listed publicly to help organizations manage and fix security flaws. When actively exploited, attackers use them to spread malware, steal data, or lock systems with ransomware. For example, some types of malware, like worms, spread automatically without user interaction, underscoring the urgency of remediation.

The KEV catalog highlights vulnerabilities actively exploited in real-world attacks. Organizations should prioritize fixing these issues using automated tools to save time and reduce risks. Installing updates, removing outdated software, or applying temporary fixes are key steps to protect systems from exploitation.

5. Memory safety exploits

Memory safety exploits are a common and serious threat. These happen when software written in memory-unsafe languages, like C or C++, mishandles memory. Mistakes in managing memory can cause vulnerabilities like buffer overflows or use-after-free errors. These allow attackers to take control of software, systems, or data. For example, a buffer overflow can let attackers execute malicious code.

Most open-source software (OSS) projects rely on memory-unsafe languages. About 52% of critical OSS projects analyzed include memory-unsafe code. In total, 55% of the lines of code in these projects are written in unsafe languages. Even projects written in memory-safe languages often depend on unsafe components. This increases the risk of memory safety vulnerabilities spreading through dependencies.

The largest OSS projects are more likely to have unsafe code. Among the ten biggest projects analyzed, the median unsafe code usage is 62.5%. In four of these projects, over 94% of the code is unsafe.

These vulnerabilities are especially dangerous in performance-critical software, like operating systems or cryptography tools. Attackers target these systems to exploit weaknesses.

Using memory-safe programming languages, like Rust, can reduce these risks. These languages automatically handle memory management, which helps prevent errors. However, developers sometimes disable safety features to improve performance. This can create new vulnerabilities. Memory safety exploits remain a major challenge and require secure coding practices to minimize risks.

Software development security best practices

Implementing software development security best practices is vital for creating secure applications. These strategies help protect users from security risks while improving software reliability. When applied throughout the secure software development lifecycle, they address vulnerabilities and strengthen defenses. Below are key principles and approaches to ensure secure software and reduce evolving threats.

1. Secure by default practices

Ensuring software is secure “out of the box” minimizes user burden and proactively addresses security vulnerabilities. This approach forms a foundation for secure software development.

• Eliminate default passwords. Replace default credentials with strong, unique passwords during setup. For example, enforce minimum password lengths and block known compromised passwords to protect secure access.
• Conduct field tests. Evaluate software security features in real-world environments. Insights from red team exercises can identify gaps in firewall settings or weak points in VPN implementations.
• Discourage unsafe legacy features. Phase out insecure protocols like outdated TLS versions. Use seamless upgrade paths and in-product alerts to encourage the adoption of safer options while maintaining compatibility with cloud security standards.

2. Secure product development practices

Embedding secure coding practices into every stage of the secure software development framework ensures long-term protection against threats and enables secure development.

• Document secure SDLC framework conformance. Use frameworks like the NIST Secure Software Development Framework (SSDF) to guide development. Publish security requirements and justify alternative approaches for unique use cases in cloud computing environments.
• Mature vulnerability management. Move beyond patching to address root causes of security vulnerabilities. For example, implement quality improvement strategies to prevent recurring issues in applications involving VPN or network monitoring tools.
• Foster a workforce that understands security. Conduct security awareness training to educate developers on secure coding practices. Integrate security topics into hiring processes and collaborate with institutions to strengthen cybersecurity skills among future developers.

3. Application hardening techniques

Application hardening strengthens software against exploitation by reducing security risks and making it more resilient.

• Validate user input. Prevent common attacks like SQL injection and cross-site scripting by sanitizing inputs. For example, in cloud computing environments, validate APIs to protect data integrity.
• Adopt memory-safe programming. Use languages like Rust to eliminate memory-related security vulnerabilities. This is particularly critical in applications involving sensitive operations like network monitoring or firewall configurations.
• Implement cryptographic safeguards. Secure sensitive data with encryption and hardware-backed key management. For instance, use hardware modules to store keys securely in VPN or cloud security systems.

4. Reducing attack surfaces

Minimizing unnecessary exposure is a critical component of software development security best practices. Reducing attack surfaces enhances secure software development.

• Remove unused features. Disable or eliminate features no longer needed, such as legacy APIs. For example, retiring outdated services in cloud computing environments reduces security risks.
• Create secure configuration templates. Provide templates tailored for low, medium, and high-risk environments. This simplifies secure development while ensuring adherence to security requirements.
• Implement attention-grabbing alerts. Notify users of unsafe configurations like admin accounts without MFA. For instance, persistent alerts can improve software security by encouraging secure settings in applications.

5. Balancing security and usability

Effective security practices must balance protection with usability. A focus on user experience ensures that secure software development lifecycle measures are effectively implemented.

• Reduce hardening guide complexity. Simplify guides for end users by automating security configurations. For instance, automated firewall rules and VPN policies can be used to streamline setup.
• Provide clear nudges. Regular reminders encourage users to address potential security risks, such as enabling MFA or updating to more secure cloud security protocols.
• Innovate thoughtfully. Design intuitive security features like Single Sign-On (SSO) to reduce friction for users. For example, SSO simplifies access without compromising secure access protocols.

These strategies ensure strong cybersecurity, effective protection in cloud computing, and robust safeguards through tools like VPN, firewall, and network monitoring.

Common mistakes to avoid

Building secure software requires careful planning and attention to detail. Common mistakes are grouped into product properties, security features, and organizational processes.

Product properties

Using memory-unsafe languages

Developing software in memory-unsafe languages like C or C++ without a roadmap to reduce vulnerabilities increases security risks. These languages can introduce critical flaws like buffer overflows, leaving systems exposed.

Software manufacturers should adopt a secure software development framework with a memory safety roadmap. Prioritize fixing vulnerabilities in sensitive areas, such as network-facing code and cryptographic functions. Following secure coding practices will significantly lower the likelihood of such security vulnerabilities.

Default passwords

Shipping products with default passwords is a dangerous practice. Default credentials are often easy to guess or publicly documented, making systems vulnerable to unauthorized access.

Always require users to set unique, strong passwords during installation.

Security features

Lack of multi-factor authentication (MFA)

Failing to include MFA in products that authenticate users significantly weakens security. Passwords alone are insufficient to protect against breaches.

Ensure MFA is supported in all products, especially for admin accounts. This practice is crucial for secure development and reducing security risks in critical systems. Aligning MFA with a secure software development lifecycle further strengthens defenses.

Inadequate logging for intrusions

Products without robust logging capabilities make it difficult for customers to detect and investigate intrusions. Logs should include critical data, such as configuration changes and user activities.

Software manufacturers should provide industry-standard logging features. For SaaS and cloud computing products, include at least six months of log retention. Enhanced network monitoring and cloud security tools help organizations meet key security requirements.

Organizational processes

Releasing software with known vulnerabilities

Releasing software that includes known exploitable vulnerabilities undermines security. Attackers often exploit these flaws before patches are issued.

Manufacturers must follow secure software development lifecycle practices, including scanning for vulnerabilities before release. Maintain a software bill of materials (SBOM) to track dependencies and ensure timely updates. Cloud security solutions and firewalls can further mitigate these risks.

Failing to disclose vulnerabilities

Not publishing CVEs (Common Vulnerabilities and Exposures) for critical flaws reduces transparency and puts users at risk. Customers depend on timely information to manage vulnerabilities.

Publish CVEs for all high-impact vulnerabilities promptly. Include details like CWE (Common Weakness Enumeration) codes to guide customers in understanding and mitigating risks. Conduct security awareness training for teams to improve processes and meet secure software development security requirements.

Case study: Successful software security with NordLayer

WeTransfer needed a reliable and flexible VPN to support global operations and meet ISO 27001 standards. Their outdated, on-site VPN couldn’t handle an office move or provide secure access for teams across 130+ regions. This created risks like phishing and ransomware.

NordLayer’s cloud-native solution offered a Dedicated server with Fixed IP for secure connectivity, Shared Gateway locations for secure internet access, and adaptive Okta integration to improve access control.

Switching to NordLayer improved operations. Developers can work faster with reduced network latency and secure access via NordLayer’s Business VPN. NordLayer also supported WeTransfer’s ISO 27001 compliance efforts. NordLayer’s platform helped WeTransfer secure its network and protect millions of users worldwide.

Explore our cybersecurity solutions for software development, or contact our sales team to learn how NordLayer can secure your operations.