Skip to content

Instantly share code, notes, and snippets.

@jelera
Created May 18, 2019 18:15
Show Gist options
  • Save jelera/e5f265490b76caab8de76949843ed46f to your computer and use it in GitHub Desktop.
Save jelera/e5f265490b76caab8de76949843ed46f to your computer and use it in GitHub Desktop.
FSP Best Practices for Web Security

Best practices for Web Security

Flatiron Students Presents

Presented by:

  • Nick Moore
  • Jackson Robbins
  • Jose Elera

Outline

  • Intro to Web Security
  • Why web security is important?
    • As Users
      • Since computers took over information processing for humans, all your data is at risk if you don't follow simple easy-to-remember rules.
      • Protecting your digital data is as important as other possessions.
      • Being proactive is better than being blindly trusting.
      • It is not fun to deal with Identity Theft.
    • As Developers
      • We have a responsibility to create safe-as-possible applications.
      • While ideally they would have a security expert in your organization, it would be very beneficial for your career if you have a basic knowledge.
      • While No app is 100% uncrackable, we can make it really hard for would-be evildoers.
  • Common Ways of password exploits
    • User-oriented hacking
      • Weak or short passwords
      • Outdated and unpatched software (OS, Web Browsers, other malware)
      • User has a rudimentary, or none whatsoever, password management.
        • "If you have to write down your password, you are doing it wrong"
    • Frontend/Backend well-known cracking
      • SQL Injection
      • Outdated packages with known exploits
      • Weak or improperly implemented encryption
  • Web Security 101 for End Users
    • Do not write down your password
    • Do not use the same password for more than one site
    • Change periodically your passwords
    • Use a one-way-encryption Password manager
      • Use a long and hard-to-guess master password, and do not forget it.
      • Let it generate random character password for each website.
      • LastPass, Dashlane, 1Password, KeePassX
    • Use a Two-Factor Authentication (TFA) when possible (Google Authenticator, Authy)
    • It may go without saying, but, Do not share your passwords, unless you are absolutely sure of the recipient.
  • Web Security 101 for Frontend Development
    • Frontend is the first barrier out of many for would-be hackers and clueless users.
    • Do not rely on frontend safety, as it could easily be manipulated by enterprising users who, may or may not be, trying to look for security flaws.
    • Frontend validation is mostly done by making sure the data the user inputted is the one needed by the backend.
      • It could easily be turned off.
    • Frequently audit your frontend code, look for unintended data leaks.
  • Web Security 101 for Backend Development
    • Get familiar with common security threats
      • Cross-site scripting (XSS)
      • SQL Injection
      • Path Disclosure
      • Denial-of-service attack (DDoS)
      • Arbitrary code execution
      • Cross-site Request Forgery
      • Data breaches
      • Arbitrary File Inclusion
      • Buffer Overflow
      • Code Injection
    • Get familiar with common web app security risks
      • Injection
      • Broken Authentication
      • Sensitive Data Exposure
      • XML Enternal Entities (XXE)
      • Broken Access Control
      • Security Misconfiguration
      • XSS
      • Using components with known vulnerabilities
      • Insufficient Logging and Monitoring
    • Apply security checkpoints and techniques throughout the software development lifecycle.
    • Be sure to only expose limited elements of your application.
    • In most cases, whitelisting is better than blacklisting.
    • When OOP
      • Use private methods, as many as you can.
      • Monitor and Audit your setter and getters.
    • Avoid, at all costs, storing plain-text passwords
      • Salt the plain-text password
        • Each user password should have a different salt.
        • Salting will make brute-force and dictionary attacks much slower.
        • Without salting, a SQL injection attack is more likely to be successful.
        • Do not reuse salt
        • Do not let the salt be too short. -Salt
      • If the user forget the password
        • The user will have to authenticate in another way, in other to re-set the password.
        • Do not send an email to the user with their actual password.
          • This won't be able to happen because we won't be storing plain-text password.
    • There are a number of technical solutions to consider when designing, building and testing secure web applications
      • Web Application Security Scanners
      • Penetration Testing Software
      • Static Source Code Analyzers
      • Web Application Security Scanners (w3af)
      • Web Application Firewalls
      • Password Cracking Tools for testing password strength
    • Keep up to date with the Open Web Application Security Project (OWASP)
    • Get an audit from a security expert if possible.
  • Safe Practices for Databases
    • For the love of everything, Do not store plain-text passwords
  • Conclusion
  • The End
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment