It's a shame to see all those nepal's government and ecommerce sites getting hacked. I'd like to call out all Pentesters out there that can at least share out some docs, links that could make our government systems secure. The purpose of this document to have a single source to eliminate overwhelming results from google. Security is very wide domain just like development. You should dedicate some hours to prevent from basic vulnerabilities if you follow these steps. There are already lots of tools that are making life of developers easy.
-
About 90% neglects security headers. Here's a link to test your website and tell your developers to fix them ASAP. https://securityheaders.com
-
Everyone should be aware of OWASP top 10 https://owasp.org/www-project-top-ten/
-
If you're building with Express.js, make sure to use helmet package. Helmet helps you secure your Express apps by setting various HTTP headers. It’s not a silver bullet, but it can help! You can easily secure you HTTP headers by 2 lines of code. So why don't use it?
const helmet = require('helmet'); app.use(helmet())
-
Use Oauth2.0 protocol for authorization. It will prevent from most of the vulnerabilities.
-
Use SSL/TLS to secure from MITM attacks. LetsEncrypt is free. You can create a cronjob to renew it.
-
Use these hashing algorithms for storing passwords such that it won't get revealed even if the attackers breach your database.
- bcrypt, crypt, Argon2, scrypt Prefer slow hashes. Never use your own encryption algorithm. Most of the PHP websites use md5 algorithm by default. Prevent it.
-
"Web vulnerability scanners like OWASP ZAP(Free) and Burp Suite(Freemium). These scanners can be used to scan and pentest low hanging vulnerabilities easily. The use of these tools can be widened to find complex and dangerous vulnerabilities in your web application." - Sumit Sampang Rai
-
"To find out vulnerabilities of your system you can use Nessus scanner(Proprietary. Also comes with Freeware with limitations). Similar to this you can find OpenVAS(free) to scan system vulnerabilities." - Sumit Sampang Rai
-
"There should be a development protocol for creating gov sites. As long as the requirements fit, focus should be using static website generators over dynamic websites. Both http://gohugo.io and http://netlify.com are free and easy to secure systematically." - Siddhant Rimal