Monday, 3 November 2014

Newbie Web Programmers - what you HAVE to know about security

Clearly, programming is a journey of experience. Having lots of experience does not mean you stop making mistakes but hopefully, they become fewer and inject less risk. The problem for new programmers and the general public who consume the output of these programmers is that there is no level, no bar, which is required before that programmer can publish stuff on the web, so even for web sites used by a good number of people, it is possible that the data on those sites is completely insecure, even for an entry-level hacker.

What do we do? I would like to hope that most programming courses would cover security, although whether they all do it properly is anyone's guess. Also, many people either despise the idea of spending money to improve their own skills or perhaps they don't have any access to structured training - and even if this training exists, how do we find out about it? How do we know if it is any good? We only know once we have learned enough to look back on it.

I think, however, there are a handful of basic principles that a new programmer needs to understand in order to produce something that should be reasonably secure from the beginning. This is my attempt at setting those principles:
  1. A web application is hosted on a server. Servers can have vulnerabilities in various ways such as services running on other ports, weak web server configuration and vulnerabilities in software modules such as we saw in openssl. If you are not experienced in setting up servers securely do NOT do it. Use a hosting/cloud company who can manage all of that for you and allow you just to upload your web application. Sure, it costs some money but it is reasonably cheap and for any site you create, you will still need to pay for the relevant DNS/IP addresses etc. anyway.
  2. Use a modern well-featured framework. Do not think that writing applications in raw HTML  or raw PHP etc. is a useful learning tool. If you want to play around with stuff, by all means write files that you test locally but always use a framework for published apps. There are several for many languages and they provide a lot of security by default. Learn how to do things properly in the frameworks to ensure you keep this security.
  3. As soon as you need to deal with any user information, you MUST learn about data security, hashing and encryption choices. These services are available in most frameworks, but, you must use them correctly to ensure you do not compromise the data security. NEVER invent your own security protocols/encryption/hashing mechanisms unless you are working somewhere that does that kind of thing. If you can think of it and someone hasn't done it yet, it's probably because it wouldn't work.
  4. Database injection is a very common weakness in poorly written web applications. You absolutely must NOT trust any data received from the client (browser) and you must NOT rely on browser validation of this data. All input MUST be validated on the server in some way and in some cases, this data can arrive in multiple ways (GET, POST, query string etc.) so sometimes the good data can be overwritten with bad data. Validate input using whitelists where possible (field x can only be 1-9 or field y must be an email address). Use regular expressions to validate complex data and where you accept free-form data, you MUST encode the data before storing it (to avoid injection attacks) and ensure it is suitably encoded in the browser for the same reasons.
  5. If you need to use passwords, you instantly create a honey pot for an attacker who will assume those same passwords are used on other sites. Best practices include giving the user an indication of password strength, having some basic minimum requirements, checking the password against known common/bad passwords (like Password123), using slow hash algorithms such as PBKDF2 or bcrypt, using per-user salt to slow down attackers and consider symmetrical encryption on other personal data. Imagine someone stole your users table from the database, would you be comfortable with the data they could see or easily crack?
  6. I highly recommend spending some time learning about web application security. If you won't pay money for formal training, then you will need to read lots of web articles (make sure they are newer ~ last 3-4 years) before you can make sense of things. owasp.org is a great resource for all things web-security related although the site can seem a little unfriendly. Read and learn about the owasp Top 10, that is a great place to start to get the feel for what is important.
Never write things like I saw on Stack Overflow the other day:

var query = "SELECT * FROM CATEGORIES WHERE ID=" + catField.Text + ";";

If you ever do that, you deserve to go to prison!
Post a Comment