The ten commands of security - Jobert Abma (PyGrunn conference)

Tags: python, pygrunn, django

He’s an ethical hacker at online24, hacking SME and government websites as a job.

Some items to keep in mind regarding security.

  • Your application isn’t the only attack vector. Your app is on a server. Who has access to that server? Which other apps run on that server? And the bigger the organization, the more chances for “social engineering”: for instance mimicking an employee and asking for a password for xyz.

  • Conduct risk assessments to identify risks. Identify the risks, only then can you take action on them. Rate your identified risks.

  • Only trust your own code. And double check. It is not OK to rely implicitly on the underlying platform.

  • Something that can solve a lot of major issues: security by design. Design it in. Centralize certain processes like validation or authentication and make them secure.

  • Always be aware of technical issues. If you catch errors, make sure you know when something goes wrong because of catching the errors, for instance.

  • Time (mis)management is a big problem. If you don’t have enough time to properly do security, you’ll have problems. Jobert thinks the big playstation hack was a security risk they were aware of, but just didn’t have/got the time to properly fix it.

  • Change management: keep track of design documentation. Make sure you keep the design documents up to date, otherwise you won’t see the impact on security that a certain change could have. Also keep the risk assessment up to date when making changes!

  • Most important aspect in securing an application: the process design. If the checkout process in a web shop isn’t properly designed, you can have a serious security breach.

  • Security is more important than usability, even though people sometimes say the opposite. Look at a “lost password” form. Don’t say “this email adress is invalid” when the email address isn’t in your database as that means you’re saying that all non-failing addresses ARE in your database. Suddenly the attacker has the first half of the user/password combination! But you can get good usability anyway by saying “An email was send. If you don’t get a mail, try again (or your email address wasn’t in our database).”

  • Information is power. But do you want to have the power? Don’t store unencrypted passwords, as they can only get stolen. Minimize the risks of your application. Just hash the passwords, for instance.

  • Input is dangerous. Handle it that way. Look for instance at django’s good offensive input filtering and sanitization.

Dutch moor
 
vanrees.org logo

Reinout van Rees

My name is Reinout van Rees and I program in Python, I live in the Netherlands, I cycle recumbent bikes and I have a model railway.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):