Question: What the following companies have in common: Verizon, AA, OneLogin, Chipotle, Bell, PlayStation, VTech, Cex, and now Equifax?
Answer: they all had major data breaches in 2017 alone.
Keeping your website secured is one of the hardest requirements that even the largest companies in the world cannot always keep up. This is because when security is concerned, the “weakest link” principle takes effect which means that anyone vulnerability in hundreds of components compromise the entire system (and usually the weakest link is us). But having a site without good security is like building a bank and forgetting to lock the safe – it may take some time but eventually when someone finds out the safe is not locked, you will lose all of your money.
The first step of having a secured application begins with the application design. This include both the component level and the architecture level, for example NIST cyberframework. Secure design part of a field called Information Security. Some of the methods used are:
- Microsoft Security Development Lifecycle (SDL)
- Threat Modeling: STRIDE, P.A.S.T.A, Trike, data flow diagrams (DFD), process flow diagrams (PFD),
- Software Architecture Security: Threat Modeling and Common Architecture Flaws
- OWSAP Software Assurance Maturity Model
- Hacktivity 2012 – Shakeel Tufail – Software Threat Modeling
Creating a secured design require understanding and implementing all of those methods which require very large investment by security experts.
The vast majority of data breaches originate from flaws in the application code, which causes security vulnerabilities. Attackers use a wide range of exploits which exists in almost all programming languages like:
- Memory safety violations, such as Buffer overflows and over-reads, Dangling pointers
- Input validation errors, such as Format string attacks, SQL injection, Code injection, E-mail injection, Directory Traversal, Cross-site scripting in web applications, HTTP header injection, HTTP response splitting
- Race conditions, such as Time-of-check-to-time-of-use bugs, Symlink races
- Privilege-confusion bugs, such as Cross-site request forgery in web applications, Clickjacking, FTP bounce attack, Privilege escalation
- User interface failures, such as Warning fatigue or user conditioning.
- Side-channel attack, Timing attack
OWASP (Open Web Application Security Project) warns about the Top 10 Most Critical Web Application Security Risks, which are:
- SQL Injection
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Broken Access Control
- Security Misconfiguration
- Sensitive Data Exposure
- Insufficient Attack Protection (Input Validation)
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Under-protected APIs
Securing your site means that none of those vulnerabilities exist in the entire site code and all network and server configuration is perfect, which even for highly skilled engineering teams, it’s almost impossible to achieve (for example Sony mega hack was started with a simple SQL injection).
Secured Authentication & Session management
Sites (and mobile applications) which offer user login are much more difficult to secure since they open a larger attack surface. Securing the authentication & session management components requires a deep understanding on how those mechanism work, which is not easy. It requires understanding how to maintain sessions in the HTTP stateless protocol.
Some secure authentication & session management requirements are:
- Don’t use weak password
- Implement anti-brute force mechanism like user locking after number of failed login attempts (maybe auto unlock after a duration)
- Don’t use HTTPs for login, then HTTP (see Firesheep)
- Prevent weak session management:
- Session ID: sent in URL, not changed at login, allow multiple active session, predictable, accept non-existent ID,
- Session id cookie: sent via HTTP, not set to Secured; HttpOnly; domain/path not scoped properly, logout
- Session: not abandoned on logout, timeout too long,
- Misplaced Client Trust: don’t trust any user input (especially for authorization), server-side validation
- Control bypass: unprotected endpoints
- Prevent misuse of security controls: auto lockout feature can be used to lock other users
- Hash user password with strong hashing algorithm: don’t encrypt – instead hash! don’t invent your own hashing algorithm, don’t use a weak hash like MD5 or HSA1, use per user salt (best in another store), use pepper (HMAC).
Making sure all of the above security requirements have been fully implemented and there are no security vulnerabilities in the application is done with a combination of different methods:
- Code review
- Static Code Analysis/Source Code Analysis tools like FxCop, RIPS and https://www.veracode.com.
- Dynamic Code Analysis with black box testing and RASP
- Penetration test and Vulnerability scanner and other tools
Testing application security needs to happen in all the application life-cycle stages, starting from development and all the way to production, which requires constant effort and investment. Today this is called DevSecOps.
Framework & Products
Applications are usually built on existing frameworks (like asp.net, PHP, Java) or products (like CMSs or CRM). Those products usually take many years to mature and require millions of code lines in order to meet the requirements. Because of their complexity, it’s just a matter of time until some security vulnerability is discovered, and if the site owner does not upgrade their platform/product (and usually they don’t) their site can be compromised even if the developer’s code is secured.
Here is a list of a commonly used framework and products with their number of confirmed vulnerabilities:
- PHP: 538 vulnerabilities
- ASP.Net: 108 vulnerabilities
- Java: 527 vulnerabilities
And the list goes on (and keeps updating every year). This is why constantly patching all the software your site rely on is a critical factor in security.
Servers & Network
All of our applications and products need to run somewhere – this is called IT infrastructure.
Systems infrastructure encapsulate the servers, network, and network appliance topology and administration. Here are some things to consider when securing your network:
- Network segmentation (VLAN) with Firewalls
- Secured communication like HTTPS (TLS1.2+, validating, Certificate Pinning), SFTP, FTPS
- OS : servers require constant updates in order to be secured. For example, here are the number of known vulnerabilities in popular OS and web servers:
- Making sure the Antivirus is running and updated in all servers
- Hardening servers and network appliance
- Running Web Application Firewall (WAF): a middlebox that try to make sure that web request are safe, usually by following OWSAP 10 and white-list techniques.
- Bots & brute force detection and prevention: Fingerprint, Behavioral analysis (Patterns), IP black list
- DOS: Flood protection, Heavy URI (process time/returned data)
- IDS and Intrusion prevention systems (IPS)
For more information you can watch:
Creating secured sites is one of the hardest requirement which requires the combined effort of all teams and deep understanding of the entire infrastructure and application stack. But without security, we will lose users trust, which can lead to losing our entire business.
If you want to find out more about the topics discussed in the Security chapter, I’ve created the following table where each topic is broken down to the requirements developers need to know in order to be able to fulfill it.
In the next chapter, we will learn about new Operation consideration when designing a site.
Next part: Part 10 – Reliability