Web Security:Build It Right

An introduction to security best practices

Why Your Security Savvy Really Matters

Why Your Security Savvy Really Matters

Guess what gets exploited the most? The lazy developers and the low hanging fruit.

Web security means not putting out anything delicious to be taken.
Web security requires careful craftsmanship.

Why Your Security Savvy Really Matters

The easy targets are made by developers who:

  • Only consider the ideal user
  • Don't go the extra* mile in setup
  • Are too rushed
  • Never learned better

OWASP.org: Open Web Application Security Project

When you use good security practices you will...

Reduce fraud and theft

Shield your clients from vandalism

Protect against data loss

Create applications that don't take any $#*!

Sleep easier

Get started right now, do what you can as often as you can.

This will save you many headaches in the long run.

So let's do it

You just follow along with me today.

Here are 12 Web Security Best Practices you can use today and errday

Default Credentials in Place

No guessing involved!

Root user vulnerable?

Rename users, reroll passwords.

Every Path and Port is the Default

Predictability makes everything easy.

Customize servers to your needs and liking.

See also: Security through obscurity.

No Timeout Between Failed Attempts

How many password guesses can I make in 5 minutes?

Consider lockout after too many bad attempts.

See also: Brute force attacks.

Allowing Weak Passwords

Would you let your admin users use "password"?

Validate for length, content, and dictionary words

Encourage a password that no one could remember.

See also: two factor auth.

Sanitizing Input

Pretend everything was a piece of food dropped on the street in NYC. You would not put that in your mouth!

Don't assume your users are giving you data that was any cleaner.

Look at data type, special chars, length

// Never Ever Do This. I will slap you.
$sql = "UPDATE users SET(username, user_level, password)
  VALUES('{$_POST['username']}', '{$_POST['user_level']}', '{$_POST['password']}')
  WHERE users.id = '{$_POST['user_id']}';";

Be Militant About Requests

Allow both POST and GET to anything?

Proper authentication on your API endpoints.

Ask: should this be allowed?

Lock it down like Alcatraz.

// Let's say we have a gift card service platform with API 
public function add_dollars(int $company_id, int $account_id, float $dollars){
  // Is this account an actual valid card with this company?
  if($this->auth_valid_card_number($company_id, $account_id) === false) 
    throw new \Exception('Invalid account.');
  // Random numbers thrown at our API should not get this far.
  return $this->account_model->add_dollars($account_id, $dollars);

Dynamic URIs

Some will require authentication, like user profiles.

Ask yourself, who should see this page?

// This could serve up some really sensitive information
// access by website.com/my-transactions/1
public function my_transactions(){
  $user_id = $this->uri->segment(2);
  // What is stopping the user from just hitting /my-transactions/2 ? Nothing!
  $vars = $this->db->where('user_id', $user_id)->get('transactions');
  // Anybody's data will load here
  $this->load->view('my_transactions', $vars);

SQL Injection

Again, everything is tainted.

$sql = "SELECT ALL FROM transactions WHERE id = '{$_POST['trans_id']}'";

// What if $_POST['trans_id'] = "1' OR amt != '0" ?
$sql = "SELECT ALL FROM transactions WHERE id = '1' OR amt != '0'";

// Why, you could give away quite a lot of sensitive data!

Including Sensitive Files in your GIT Repo

Do not push repos with ANY sensitive data ever committed to a public site.

Bots look for this.

Gitignore is your friend.

Apache: Indexes Enabled

You can always put a blank index.html in every directory.

Disable indexes if using Apache.

Leaving Sensitive Files on a Server

Full zipped copies

Search-and-replace DB scripts

Remove or disable all of these.

Error Message are Too Revealing

Let's handle our errors nicely, please

Showing file names and stack traces?

Give a short fail message.

Do you need to think like a hacker to be good at security?

No, but it won't hurt you.

Set a goal to start securing your code.

Need more motivation? Get a little scared.


What Next?

  • Breathe a big sigh of relief that your code is good
  • Bring a security minded attitude towards all new projects
  • Use these slides for your own presentation
  • For feedback or assistance click the link below: