The ten commands of security - Jobert Abma (PyGrunn conference)
He’s an ethical hacker at online24, hacking SME
and government websites as a job.
Some items to keep in mind regarding security.
- Your application isn’t the only attack vector. Your app is on a server. Who
has access to that server? Which other apps run on that server? And the
bigger the organization, the more chances for “social engineering”: for
instance mimicking an employee and asking for a password for xyz.
- Conduct risk assessments to identify risks. Identify the risks, only then
can you take action on them. Rate your identified risks.
- Only trust your own code. And double check. It is not OK to rely implicitly
on the underlying platform.
- Something that can solve a lot of major issues: security by design. Design
it in. Centralize certain processes like validation or authentication and
make them secure.
- Always be aware of technical issues. If you catch errors, make sure you know
when something goes wrong because of catching the errors, for instance.
- Time (mis)management is a big problem. If you don’t have enough time to
properly do security, you’ll have problems. Jobert thinks the big
playstation hack was a security risk they were aware of, but just didn’t
have/got the time to properly fix it.
- Change management: keep track of design documentation. Make sure you keep
the design documents up to date, otherwise you won’t see the impact on
security that a certain change could have. Also keep the risk assessment up
to date when making changes!
- Most important aspect in securing an application: the process design. If the
checkout process in a web shop isn’t properly designed, you can have a
serious security breach.
- Security is more important than usability, even though people sometimes say
the opposite. Look at a “lost password” form. Don’t say “this email adress
is invalid” when the email address isn’t in your database as that means
you’re saying that all non-failing addresses ARE in your database. Suddenly
the attacker has the first half of the user/password combination! But you
can get good usability anyway by saying “An email was send. If you don’t get
a mail, try again (or your email address wasn’t in our database).”
- Information is power. But do you want to have the power? Don’t store
unencrypted passwords, as they can only get stolen. Minimize the risks of
your application. Just hash the passwords, for instance.
- Input is dangerous. Handle it that way. Look for instance at django’s good
offensive input filtering and sanitization.