Web App Security - Are you doing it wrong?
Another day, another breach, another few million people are at best probably going to end up on a SPAM email list, at worst, they are going to have other accounts attacked with the leaked credentials. One day, we can hope that governments start appropriately punishing people for negligence in the web application security arena but don't hold your breath.
So are YOU doing it wrong?
If you are not using a modern popular framework as the foundation for your site, you are PROBABLY doing it wrong. There are hundreds of ways in which a site can be compromised, some subtle and some more obvious. Many of these vulnerabilities are squashed in popular modern frameworks or are at least harder to accidentally introduce. Pay attention to session, authentication and authorisation and make sure you know how the validation and encoding controls work.
If you don't know whether your site is susceptible to SQL (and other) injection attacks, you are DOING IT WRONG. If you do not have a fundamental way of protection from injection attacks such as stored procedures or parameterized queries YOU ARE DOING IT WRONG. Validation can help you but it is not a strong enough defence because it is easy to forget validation is a single instance, which can open up your whole site. Remember, it doesn't matter if you have 200 strong locked doors on your house, it only takes 1 open one to undermine it.
If you are not validating all input from the user YOU ARE DOING IT WRONG. User input is always untrusted. Not only can attackers bypass any client-side validation or assumptions that you make about correct use, they can do a whole load of things you probably haven't heard of. Your own staff and trusted friends can also accidentally do something incorrectly and that can have bad consequences.
If you have to write things like "Sign in securely" on your buttons, YOU ARE DOING IT WRONG. Teach your users about real markers of security, don't try and convince them you are secure just because you say so. It is meaningless and more importantly, it doesn't teach real security. If you must boast, use commercial badges such as Site Seal or "This site was code reviewed by XYZ Inc.".
If your logout button doesn't immediately log people out YOU ARE DOING IT WRONG. Log out means log out, people are used to hitting it and walking away. Don't ask if people are sure or leave them on a "just before we log you out...." page.
If you allow people to use weak passwords, YOU ARE DOING IT WRONG. You might assume that they are only letting themselves down but that is both untrue and arrogant. If their password is hacked from your site, an attacker could gain access to your system, he could attack other systems and he can potentially get much quicker information about password hashes if he knows you allow weak passwords.
If you store passwords in a reversible format or plain text and if you ever email people passwords YOU ARE DOING IT WRONG. Sure, sending someone a password seems useful but email is insecure and if the system can reverse passwords, there is no way to know if an attacker has accessed that functionality and gained people's passwords that are almost certainly used elsewhere. Give people a reset mechanism involving their email and/or security questions - the stuff you would check on the phone.
If you do not know the openness of your networks both internally and externally, YOU ARE DOING IT WRONG. An attacker might attack via the web application but might also send malware into your company. Do you know that the malware would still not be able to access sensitive data, even if it was running with the permissions of a valid corporate user? Think of it like someone sitting at their PC in your company what can they access? Would you even know? Could you block it easily if it was suspicious? Can you detect large data transfers?
If you store credit card numbers or cvv numbers, YOU ARE DOING IT WRONG. There are approved ways to do whatever you want, please don't think it is OK that you can just side-step those, make up your own rules and assume that your network security is good enough. We have enough proof now that it probably isn't.
If you have to search for security answers on Google, YOU ARE DOING IT WRONG. Most of the web is very hard to verify for correctness or maybe it was best-practice in 1995 but not any more. Get proper training, proper expertise and for goodness sake take it seriously. You would be frightened how many people still use MD5 for password hashes, this has been frowned on for over 10 years. Be wary of programming books also, which are often woefully poor on security techniques.
If you are not familiar with the work of OWASP, YOU ARE DOING IT WRONG. Owasp pool all of the best information from the industry, please don't think that you don't need that. If you read it all and realise you know it all, great, but you will probably be surprised at certain attack vectors that you would never have imagined. Free code-review checklists, free testing utilities - what's not to like?
If your management are not on-board with security, YOU ARE DOING IT WRONG. I suggest you find another job because you've already lost!
If you don't have a go-to person for security related questions, YOU ARE DOING IT WRONG. We can't all be experts but someone needs to be - perhaps you have a contractor or consultant to do this, as long as it's someone. Pooling mutual ignorance is the downfall of many a company.
If you don't perform code reviews and penetration testing of your sites, YOU ARE DOING IT WRONG. Yes, they cost a couple of thousand dollars but they are an awful lot cheaper than damage limitation and probably cost less than one Developer's monthly salary.
If you realise that security is a big and complicated topic and you have the humility to seek out expert help, if you continue to learn over time, if you pay attention to causes of breaches in the news, if you get trained in web application security controls and if you follow convention instead of inventing your own "good ideas" then YOU ARE PROBABLY DOING IT RIGHT!
So are YOU doing it wrong?
If you are not using a modern popular framework as the foundation for your site, you are PROBABLY doing it wrong. There are hundreds of ways in which a site can be compromised, some subtle and some more obvious. Many of these vulnerabilities are squashed in popular modern frameworks or are at least harder to accidentally introduce. Pay attention to session, authentication and authorisation and make sure you know how the validation and encoding controls work.
If you don't know whether your site is susceptible to SQL (and other) injection attacks, you are DOING IT WRONG. If you do not have a fundamental way of protection from injection attacks such as stored procedures or parameterized queries YOU ARE DOING IT WRONG. Validation can help you but it is not a strong enough defence because it is easy to forget validation is a single instance, which can open up your whole site. Remember, it doesn't matter if you have 200 strong locked doors on your house, it only takes 1 open one to undermine it.
If you are not validating all input from the user YOU ARE DOING IT WRONG. User input is always untrusted. Not only can attackers bypass any client-side validation or assumptions that you make about correct use, they can do a whole load of things you probably haven't heard of. Your own staff and trusted friends can also accidentally do something incorrectly and that can have bad consequences.
If you have to write things like "Sign in securely" on your buttons, YOU ARE DOING IT WRONG. Teach your users about real markers of security, don't try and convince them you are secure just because you say so. It is meaningless and more importantly, it doesn't teach real security. If you must boast, use commercial badges such as Site Seal or "This site was code reviewed by XYZ Inc.".
If your logout button doesn't immediately log people out YOU ARE DOING IT WRONG. Log out means log out, people are used to hitting it and walking away. Don't ask if people are sure or leave them on a "just before we log you out...." page.
If you allow people to use weak passwords, YOU ARE DOING IT WRONG. You might assume that they are only letting themselves down but that is both untrue and arrogant. If their password is hacked from your site, an attacker could gain access to your system, he could attack other systems and he can potentially get much quicker information about password hashes if he knows you allow weak passwords.
If you store passwords in a reversible format or plain text and if you ever email people passwords YOU ARE DOING IT WRONG. Sure, sending someone a password seems useful but email is insecure and if the system can reverse passwords, there is no way to know if an attacker has accessed that functionality and gained people's passwords that are almost certainly used elsewhere. Give people a reset mechanism involving their email and/or security questions - the stuff you would check on the phone.
If you do not know the openness of your networks both internally and externally, YOU ARE DOING IT WRONG. An attacker might attack via the web application but might also send malware into your company. Do you know that the malware would still not be able to access sensitive data, even if it was running with the permissions of a valid corporate user? Think of it like someone sitting at their PC in your company what can they access? Would you even know? Could you block it easily if it was suspicious? Can you detect large data transfers?
If you store credit card numbers or cvv numbers, YOU ARE DOING IT WRONG. There are approved ways to do whatever you want, please don't think it is OK that you can just side-step those, make up your own rules and assume that your network security is good enough. We have enough proof now that it probably isn't.
If you have to search for security answers on Google, YOU ARE DOING IT WRONG. Most of the web is very hard to verify for correctness or maybe it was best-practice in 1995 but not any more. Get proper training, proper expertise and for goodness sake take it seriously. You would be frightened how many people still use MD5 for password hashes, this has been frowned on for over 10 years. Be wary of programming books also, which are often woefully poor on security techniques.
If you are not familiar with the work of OWASP, YOU ARE DOING IT WRONG. Owasp pool all of the best information from the industry, please don't think that you don't need that. If you read it all and realise you know it all, great, but you will probably be surprised at certain attack vectors that you would never have imagined. Free code-review checklists, free testing utilities - what's not to like?
If your management are not on-board with security, YOU ARE DOING IT WRONG. I suggest you find another job because you've already lost!
If you don't have a go-to person for security related questions, YOU ARE DOING IT WRONG. We can't all be experts but someone needs to be - perhaps you have a contractor or consultant to do this, as long as it's someone. Pooling mutual ignorance is the downfall of many a company.
If you don't perform code reviews and penetration testing of your sites, YOU ARE DOING IT WRONG. Yes, they cost a couple of thousand dollars but they are an awful lot cheaper than damage limitation and probably cost less than one Developer's monthly salary.
If you realise that security is a big and complicated topic and you have the humility to seek out expert help, if you continue to learn over time, if you pay attention to causes of breaches in the news, if you get trained in web application security controls and if you follow convention instead of inventing your own "good ideas" then YOU ARE PROBABLY DOING IT RIGHT!