Security

We are all exposed to the constant danger of digital data theft—an issue that has only intensified as our lives and businesses become increasingly connected. Attackers no longer rely solely on operating system flaws, stolen passwords, or cloned magnetic stripe cards (which are largely obsolete in most developed regions). Today’s major threats include AI-powered phishing with deepfake voices and videos, supply chain compromises, ransomware-as-a-service (RaaS), and the looming risk of quantum computing undermining traditional encryption methods. These advanced tactics make breaches harder to detect and potentially far more damaging.

On the consumer side, “moving data to the web” has evolved into a preference for fintech-first solutions such as neobanks and payment apps, which many now trust more than traditional banks for sharing financial data. This shift has been supported by global regulatory changes—such as PSD3 in the EU and the 2024 U.S. Open Banking rules—that extend beyond bank-led standards to impose stricter compliance requirements on fintechs and enable real-time payment integrations.

Security and privacy remain at the heart of Open Banking. Static consent forms have given way to smart consent management, allowing customers to grant time-limited, granular permissions, often verified through biometric authentication or self-sovereign identity (SSI) wallets. Screen scraping has been largely phased out, replaced by standardized, secure OAuth 2.0 and Financial-grade API (FAPI) protocols. At the same time, AI-driven fraud detection is now a regulatory requirement in many markets, offering real-time protection against increasingly sophisticated attacks.

Despite these advances, the fundamental challenge remains: when breaches occur, organisations must ask how it happened, what they are doing to remediate it, and how to prevent it from happening again. Meeting these questions today requires more than technical safeguards—it demands a holistic approach where security and privacy work hand-in-hand, ensuring not only performance and innovation but also trust and accountability in an era moving rapidly toward Open Finance and cross-industry Open Data ecosystems.

It must be remembered that a vast amount of personal and financial information is stored in digital systems worldwide. With the common practice of reusing credentials, a single compromised account can open the door to multiple services—or even enable full-scale identity theft by piecing together leaked data from email, cloud storage, and online accounts. Collaboration platforms and SaaS tools have also become frequent targets, making strong authentication more critical than ever.

Passwords and authentication – Simple, short passwords are no longer sufficient. An “eight-character minimum” is now considered insecure. Following NIST 800-63B guidance, the current best practice in 2025 is to require at least 12 characters in a password, while moving away from mandatory complexity rules (such as forcing symbols in every password). Instead, organisations are encouraged to promote long, memorable passphrases that balance usability with security.

Protecting against brute force attacks – The risk of simple brute-force guessing has been reduced through widespread use of multi-factor authentication (MFA), which is now a standard requirement in most sectors. Older SMS-based one-time codes are being phased out in favor of more secure options such as FIDO2 and WebAuthn, which use hardware tokens, biometrics, or device-based credentials. In addition, rate-limiting systems block repeated failed login attempts, and behavioral biometrics (like typing speed and mouse movement analysis) are increasingly deployed to spot unusual or fraudulent activity.

Data protection and insight – Hashing and salting passwords remains a core safeguard to ensure that even if a database is compromised, the original credentials are not exposed. Blueberry’s solutions go further by checking new passwords against databases of known weak or breached credentials, and by flagging common, easily guessed patterns (e.g., “password123”). This proactive stance helps businesses defend against modern attack vectors while maintaining user convenience.

By combining stronger authentication, smarter monitoring, and advanced AI-driven fraud detection, today’s access control strategies provide resilience against threats ranging from credential stuffing to sophisticated social engineering, enabling businesses to protect both their systems and their customers with far greater confidence.

Operating systems and other widely used software are a prime target for hackers. A weakness discovered in widely used products is valuable because it can be used in the commission of many crimes. As a result, the more widely used a program is, the more attention it draws – not just from the hackers attempting to find its weaknesses, but also from the software industry in protecting it.

Bespoke software generally gets less attention because no one knows the source code outside of the developers themselves. However, while bespoke software often attracts less direct attention, it typically relies on popular frameworks, libraries, and cloud services that can present their own attack surfaces. For this reason, building secure custom software today requires a combination of careful design, early testing, and modern security practices:

• Proactive security testing – Security must be integrated early in the development lifecycle, following a “shift-left” approach. Automated static and dynamic analysis tools (such as GitLab SAST, Snyk Code, and SonarQube) are now widely used to detect vulnerabilities as code is written, rather than after release.
• Evolving threat landscape – Traditional attacks such as SQL injection, cross-site scripting (XSS), and privilege escalation remain relevant. However, organizations also face sophisticated threats, including supply chain compromises, AI-driven exploits, and emerging risks from quantum computing, which has accelerated the adoption of post-quantum cryptography standards.
• Modern security tooling – Legacy vulnerability scanners like Nexpose have been rebranded as Rapid7 InsightVM and are now part of broader vulnerability management platforms. Tools such as Burp Suite, OWASP ZAP, and Tenable.io (the successor to Nessus) dominate modern security testing, offering advanced automation, continuous monitoring, and integration into CI/CD pipelines. Metasploit Framework remains a valuable penetration testing toolkit, now complemented by Metasploit Pro and Enterprise editions for larger organizations.
• User trust and compliance – Protecting sensitive data is no longer just about firewalls. Today, compliance frameworks and standards such as GDPR and FAPI (Financial-grade API) guide how authentication and data access are managed. Biometric authentication and self-sovereign identity (SSI) wallets are increasingly used to give customers direct control, while AI-powered fraud detection is becoming a baseline requirement for financial and enterprise-grade applications.

At Blueberry, we work with clients to integrate these modern security practices from the very start of development. Our focus is on building resilient, cross-platform solutions—whether native apps or Progressive Web Apps (PWAs)—that deliver both performance and trust, ensuring businesses and their users are protected in an evolving digital landscape.

If you have a custom software development project with security requirements, please give us a call.