- 1. Code Linting & SAST
- 2. Running a security audit with npm audit
- 4. Validations, Validations, Validations!
I will be sharing with you in this article some helpful tips I use every day as a security engineer so you can start thinking more about security before deploying your code to production.
Seeing real-time feedback through linting while you're coding inside your IDE can help you accelerate development and reduce costs by finding errors and security issues earlier.
You can use:
Most SAST tools like SonarQube provide more features to identify code smells and known security vulnerabilities.
When it comes to security, the first thing we will consider is NPM audit tool. This tool will help you detect vulnerabilities in all your installed dependencies and help you fix them.
Suppose you are using Github as a source control management system. In that case, they have a tool called Dependabot, which automatically scans the dependencies of NPM and informs you via email to clarify the risks.
If you're working on a big project, you should consider automating this job instead of doing it manually each time by yourself. Thus, we can create a Cron Jobs to set recurring tasks (Choose your preferable CI tool).
If you're a developer, I'm sure you used before the
<script> tag to import third-party libraries inside your code, but did you ever think about the possibility of manipulating the source code of those imported scripts?
Yes, It can happen, especially when you render external resources on your website. Therefore, your website may face a security breach.
You can use the SRI feature to enable browsers to verify the resources they fetch as a security measure.
<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>
Let's say we'd like to add JQuery to our code.
- Download the minimized version of JQuery.
- Calculate the SHA256 hash of JQuery version 3.5.1 hosted by Cloudflare
- Run it twice through OpenSSL to generate the checksum.
- Encode the result in base64 format.
curl -s https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js | openssl dgst -sha256 -binary | openssl enc -base64 -A 9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=
Now that we have the hash, we can add the
integrity attribute to the script tag and the prefix
sha256- to the hash to indicate the hashing algorithm used. Starting from now, any browser that supports SRI will require that the provided hash matches the calculated hash of the downloaded file.
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
Client-side validation is not enough, and you should never rely on it when you write your code.
- Don't trust user inputs.
- Use proper methodologies for encoding/escaping
- Sanitize and clean your user inputs
- Set secure cookies
- Establish a secure content security policy
- Encrypt data transmissions between client-side and server-side
- Use updated libraries and frameworks
- Perform regular scans on your underlying databases and codebases
As an attacker, I will try my best to understand the business logic behind the application, and if I do so, I can find my way through.
Great job if you followed this far!
You may also need to read about:
- Configuration Management.
- Session Management.
- Secure Transmission.
- Denial of Service.
- Error Handling.
You can reach me out on LinkedIn if you have questions @Bour Abdelhadi
Do you want to support me? > 💲 Thanks :D