It sounds kinda boring, and well, it often is finding out and fixing these things, it's also the most important of considerations and is often left until last when you’re building a new product or service.
If you’re not on top of security and there is a major breach, well you risk the corporate witch hunt and losing your job. You also risk losing contracts, and possibly even going bankrupt if you have to pay out reparations for lost business, disruption, or theft, the list goes on. Too often business folks assume the insurance will cover it and technical folks don’t think of the business implications.
I am telling you now, that the insurer probably doesn’t cover it. Also, no one wants to lose their job for something like that, right?
So what are the key things you should think of when it comes to security? It's ok we’ll just leave it until the penetration testing specialist comes back and tells us.
Well no… you should have considered all these things well before that point.
Penetration testing
What does pen testing cover? Well, this is certainly not any kind of comprehensive list….but typically it covers the following: Security auditing and network mapping, vulnerability scanning, packet sniffing, Man-in-the-middle attacks, Brute Force attacks.
Now I’m not saying you should try and do the highly specialized job of a pen tester, who has trained for years and has a lot of specific knowledge. But by being aware of some of the tools, techniques, and common pitfalls can really help. It's also impossible to really expect anyone to run some tests in a couple of days and have a totally thorough approach to discovering all the possible vulnerabilities you may have. Many of these require ongoing testing and checking as the nature of cybersecurity is really a day-to-day requirement, not just a one-off event. It's also a HUGE area and there is no way I can do it justice here.
If in doubt ask a security specialist.
Security Auditing and Network Mapping
If you want to feel like you’re working in The Matrix then you need to consider network mapping and a tool for security auditing of your system such as Nmap.
If your team has the capacity, I would recommend that you consider running a solution like Nmap at regular intervals in order to determine the status of listening services on your system. Which is free and open source. Is an unauthorized program running? Has a bad actor set up a daemon(background process) to allow himself access to one of your systems?
It's not intuitive to learn but may well be worth the hassle depending on your level of risk exposure and lack of specialized resources.
A quick how-to guide on NMap here:
and here…
https://nmap.org/book/nmap-overview-and-demos.html
Vulnerability Scanning
Scanning tools like Nessus scan systems to provide the penetration tester with a list of potential attack vectors for gaining access to a target network or system. Nessus is a commercial product but they have a free tier. If you’re interested in a job in Cybersecurity then this could be a good free tier tool to start with.
https://www.tenable.com/products/nessus
Network Sniffing
“Sniffing attack or a sniffer attack, in the context of network security, corresponds to theft or interception of data by capturing the network traffic using a sniffer (an application aimed at capturing network packets). When data is transmitted across networks, if the data packets are not encrypted, the data within the network packet can be read using a sniffer.[1] Using a sniffer application, an attacker can analyze the network and gain information to eventually cause the network to crash or to become corrupted, or read the communications happening across the network.[2]”
The obvious ways to protect against packet sniffing attacks are to ensure you’re using secure protocols and encryption: HTTPS, SSH, VPN, and make sure your network traffic is encrypted. Network monitoring and scanning tools should be set up to alert your teams to possible bad actors.
Don’t let your developers log onto work accounts of any kind from public internet connections. Sounds obvious but I have seen this in the startup world…they should use a VPN for working from home. Again this sounds obvious.
Network sniffing essentially intercepts and logs traffic or these anomalies. To do an audit of your network and check for malicious vulnerabilities you need a tool like Wireshark.
Man in the middle attacks
For the best practice approach to mitigating Man in the Middle attacks you should consider the following:
Strong WEP/WAP Encryption on Access Points
Strong Router Login Credentials
Virtual Private Network
Force HTTPS
Public Key Pair Based Authentication
Products like BurpSuite are tools many Pen testers use to check for vulnerabilities. However, there are a lot of free alternatives to their services.
Brute Force Attacks
“In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.”
How do you mitigate against this? Well, some common best practices which should be on your requirements hit list for password security.
Limit failed login attempts.
Make the root user inaccessible via SSH by editing the sshd_config file.
Don’t use a default port, edit the port line in your sshd_configfile.
Use Captcha — (useful for mitigating against DDoS attacks but has its own vulnerabilities).
Limit logins to a specified IP address or range.
Two-factor authentication (Three factors would be better).
Unique login URLs.
Monitor server logs for anomalies.
The final one I would add to this is the session state. Ensure that if your user doesn’t log out their session expires. I have noticed this missed a number of times, particularly on Startups' web apps potentially exposing their customers. For the full rundown on this, scroll down to the session state section on the OWASP page. (Their cheat sheet series on security topics is very thorough).
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
You can use tools like John the Ripper to test for password vulnerabilities.
So we’ve considered some of what a penetration tester would cover but what should we consider as part of our day-to-day development work? Before we hire that pen tester and hang our heads in shame at the list of horrors that might come back? Well, there are some best practice approaches and considerations that I’ve started to list out below with links to resources and folks more knowledgeable than me.
Secrets Management
Do you have a policy? What are you going to do when one of your team leaves? On the day they leave they should no longer have access to your systems and services. Most big organizations have this covered, but then you hear that story about the developer having access to the company Github repo...
But it's staggering how basic this is and the stories of this being overlooked will make you cringe.
Differentiate Between Secrets and Identifiers — Cloud providers do this using various tools, AWS uses the Parameter Store(License codes, Database strings Full Configs and Passwords) and Secrets Manager(Passwords and API keys) products. For Identifiers AWS has Identity and Access Management to restrict access to services for certain scenarios(other cloud providers have something similar). Creating and identifying roles for specific user permissions essentially establishes a circle of trust between those relationships. But these are also principles of separation and should be considered regardless of the complexity of your solution.
Encrypt Data Using a KMS 🔑
You should be able to encrypt entire files with an encryption key, and individual pieces of data within that file using a different encryption key. In this way, you will only share only specific parts of the data without risking the rest of the data. This limits the radius of any potential attack. Most Cloud providers have solutions for this. You can read more about AWS solutions here.
Rotate Secrets Frequently
Secrets can be leaked through logs and cache data. They could be shared for debugging purposes and not changed or revoked once the debugging is complete. This is fairly obviously exposing a vulnerability for hackers. Rotating secrets is a straightforward solution for this. It is possible to set a schedule in products like AWS Secrets Manager. But it is again a good basic principle and you should have a policy for this in terms of how you manage your systems and services. The same goes for the automation of passwords for systems access and management. Off-the-shelf solutions are key here. I have seen developers try to create their own bespoke solutions... 🤦♀️ Please don’t do this unless you really have an overwhelming use case for it.
Customer-facing
For customer-facing web and mobile applications, you may want to consider products like AWS Cognito which allows secure integration of logins via social media accounts.
https://aws.amazon.com/cognito/
Store Secrets Responsibly
Password management should enforce the creation of passwords using standardized secrets management products(see above). Any sharing of passwords should be done using the same tool via tokens that expire.
Detect Unauthorized Access
Well, there’s a lot to cover with cybersecurity, each specific attack type is a topic in its own right. I have only touched on some of the most common in this article. However, SQL injection is indeed one of the most common types.
SQL Injection Attacks
So…what are they and how to prevent them? Well, Megan Kaczanowski has done a far better job than I ever will describe this here. I suggest you read her article.
DevSecOps
A typical DevOps workflow Code — Commit — Build and Configure — Scan and Test — Release — Deploy.
Is anything obviously missing here?
Well, its security, and as a result of that DevSecOps was born. The key components of DevSecOps are summarised here:
Short, iterative software development lifecycle with embedded automated security checks.
Repeatable development environments with homogenous security controls.
Version-controlled CI pipeline.
Process for implementing organization- or team-wide changes to said pipelines to facilitate post-incident security investigations.
Robust documentation, preferably using declarative methods that enable security as code.
A culture of encouraging innovation and tolerating the failure that accompanies it.
You can read more about the differences and how they fit together here. 👀
I wonder that this wasn’t the defacto standard earlier.
If you’re reading this and thinking 💭 “I still don’t really know what DevOps is” well you might wanna take a short course courtesy of Freecodecamp below or… you may have arrived at the wrong page. At this point, why are you still here?
DevOps an introductory guide
For the definitive summary guide on security for developers, you need to watch Nanna Baars — Security for Developers. Much of which is still very relevant despite that it was recorded in 2018. He is one of the Founders and Lead Developers for the Open Source project Web Goat which is a teaching toolkit for learning web application security. Once you’ve watched his presentation you can check out WebGoat.
Much of the examples he gives are things that every team should consider as part of their SDLC and are really best practices for security.
WebGoat 🕸 🐐
Basics of Web Application Security
The Solution Architecture guru for basically anything is Martin Fowler. This was written some years ago but is still very relevant. I suggest reading through 📖 and indeed keeping up with Martin Fowler’s blog in general which is endlessly useful.
Cryptographic beginnings and furthermore
Security is one of the biggest concerns of business leaders right now. Cybercrime has exploded since the beginning of the coronavirus pandemic.
The StartUps that have sprung up in this space are invariably vapourware. For every bonafide innovative solution, there is a lot of hype and little real protection against increasingly sophisticated criminals.
Security is also a complex area to learn and work in. You have to be interested to solve problems that you have to go out and find. It takes a particular mindset to be interested and motivated in that way. It also takes years to train and is highly specialized. This is also what is driving up salaries but for someone who is interested and motivated it really can be a fascinating career path and a good comfortable income. The skills shortage won’t go away anytime soon. It may only get worse rather than better.
Regardless of your interest level knowledge of this even basic knowledge will not only make you a more valuable team member, but it may also save someone’s business, reputation, and a lot of sleepless nights.
Feeling secure now?
