Information Security is an increasingly important topic and one that is too often overlooked. This is true in all web development, but as WebRTC video technology continues to mature and become a more critical part of internet communications, it’s also true for WebRTC development.
As our team has grown at WebRTC ventures, and as we serve more and more clients in all industry verticals, security has become more and more important.
That’s why I’m pleased to announce publicly that we recently promoted Maynor Taisigüe to Information Security Officer for WebRTCventures (and for our parent company AgilityFeat).
This role encompasses two main areas:
- Information/Account Security – Like many technology companies, our team works from remote locations frequently, and from countries around the world. And like all growing teams, we have people coming and going from our team on a regular basis. Therefore it’s critical that we have internal processes in place to ensure that only the right developers have access to our customers’ systems and code base. Maynor is leading the effort to formalize this process across our team of 40 and growing technologists.
- Application Security – Each application we develop is custom. They each have their own specific security needs, features, and deployment. Maynor is working with our teams to ensure that security best practices are followed across our projects so the applications and customer data are secure.
Maynor has been a valuable and trusted part of our team for over 3 years, and has been providing quality assurance across our clients. Prior to joining our team, he also worked as a system administrator in other companies. This understanding of systems and technology at the lower level, combined with an understanding of our clients’ needs across our projects, and a strong attention to detail, makes him the perfect person to formalize security practices across all of our work.
But isn’t WebRTC already secure?
One of the often touted advantages of WebRTC is the built in security. When using WebRTC in its “pure” form, you establish a Peer to Peer connection between two clients using a signal server.
The signaling server helps you to negotiate that connection, but once it’s established, all video, audio, and other data is exchanged directly between the peers, and it does not pass through the signaling server.
This creates a couple of key security benefits of WebRTC:
- The Peer-to-Peer (P2P) connection means that there is no intermediary server between the two clients, and so it is nearly impossible to do a “man in the middle” attack where a server between the two clients is used to eavesdrop on the conversation. I say nearly impossible because it may still be possible to a MITM attack if the signaling server is compromised, however, if we assume the signaling server is secure then the P2P connection is secure.
- The WebRTC connection is encrypted by default. So even if you can see the network traffic between two clients, the video, audio, and data is all encrypted and so the content of your conversation is still private.
For these two reasons, WebRTC is inherently secure. However, that doesn’t make your application secure.
Security outside of WebRTC
In addition to making sure the signaling server is secure, it’s important that security best practices are followed in your complete application. For example:
- User authentication needs to be secure. High quality passwords and controlled user administration are obviously important so that accounts cannot be hacked. HIPAA regulations further require rules around expiration of passwords and additional authentication requirements for applications that contain personally identifiable information (PII) about patients.
- Payment methods need to be secure. Any application that takes payment from users needs to treat credit card or other payment information securely. Using a commercial API like Stripe or Braintree goes a long ways towards this, but it’s important that PCI compliance issues are kept in mind for any payment information in transit to the API’s, and that payment information is not stored locally in the application.
- Private information needs to be protected. If your application is for healthcare, or many other industries regardless of regulations, you do not want key information to be visible to others. PII on patients must be encrypted at rest.
- Video recordings are securely stored with restricted access. If your video application involves recording, then you may not want anyone to see that recording. Storing them on a service like Amazon S3 allows you to build in security policies around who can view the URL’s to those recordings.
Why security is important
If you are building a healthcare related application, then security is critical. But that’s not the only industry where it’s important. I don’t want you to read my medical records, or my retirement plans and financial information, or notes from conversations with my lawyer. There are many industries where WebRTC video capabilities add value, and where the security of those conversations is paramount.
WebRTC offers inherent security advantages, but is not enough by itself to build a secure application. That’s why I’m so happy to have Maynor take on the challenge for our team of instituting best practices across our clients, so that we can continue to build innovation video communication apps that are still secure.