loading...
Cover image for Protecting The First Website, Part 1: Common Threats

Protecting The First Website, Part 1: Common Threats

hoangbkit profile image hoangbkit Originally published at hoangbkit.com ・2 min read

Taking security seriously from the beginning is underrated by newbie web developers. This responsibility often belongs to DevOps developer in the team. If you're the solo web developer running serious web apps then you MUST take the responsibility to protect your users' data by applying best practices for following common web securities vulnerabilities.


Protecting The First Website is an original series where I explain what I've learnt to protect my first serious website from attackers.

  • Protecting The First Website, Part 1: Common Threats (this post)
  • Protecting The First Website, Part 2: Cross Site Scripting (upcoming)
  • Protecting The First Website, Part 3: SQL Injection (upcoming)
  • Protecting The First Website, Part 4: Server Side Request Forgery (upcoming)
  • Protecting The First Website, Part 5: Sensitive Data Exposure (upcoming)

It's important to protect following data types: Name, Address, Date of Birth, Email, User Name, Password, Social Security Number, Credit Card or Debit Card Number, Medical Information, Financial Information, Account Information, Phone Numbers, Intellectual Property, etc.

Security is an ongoing, and ever-changing, practice that you must observe to ensure your project is never included in the companies that one hears about on the news after a huge data breach. Regardless of which programming paradigm, language or framework you wish to use, there are plenty of non-specific, terse security practices you should follow from the very start of the project.

Common threats

In order to build a secure application, from an pragmatic point of view, it is important to identify the attacks which the application must defend against, according to its business and technical context:

- Server Security Misconfiguration
- Server-Side Injection
- Broken Authentication and Session Management
- Sensitive Data Exposure
- Broken Cryptography
- Broken Access Control
- Insecure OS/Firmware
- Insecure Data Storage
- Cross Site Scripting
- Cross Site Request Forgery
- Unvalidated Redirects and Forwards
- Insufficient Security Configurability
- Using Components with Known Vulnerabilities
- Automotive Security Misconfiguration
- Denial-of-Service (DoS)

High risk areas

Identify the high risk areas, focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access.

- Web forms, public facing code
- Files from outside of the network
- Anything to do with cryptography, 
- Authentication, authorization and session management
- Backwards compatible interfaces with other systems

These are often where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls, and intrusion detection or prevention systems to help protect your application.

Proactive controls

Here's the list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important.

- Define Security Requirements
- Leverage Security Frameworks and Libraries
- Secure Database Access
- Encode and Escape Data
- Validate All Inputs
- Implement Digital Identity
- Enforce Access Controls
- Protect Data Everywhere
- Implement Security Logging and Monitoring
- Handle All Errors and Exceptions

Posted on Aug 9 '19 by:

hoangbkit profile

hoangbkit

@hoangbkit

I turn ☕ into {code} using #javascript

Discussion

markdown guide
 

Thank you for your contribution.

As Mohammed stated more explanatory text was needed. For example you listed a lot of stuff which are not wrong.

I would recommend, adding a big picture explanation text. What we are trying to achieve, how do we achieve that, what each listed method solves on the issues seen during that big picture explanation, etc.

Security is mostly working on a checklist, keeping that checklist always up to date by learning each day new stuff and ofcurse by implementing each new stuff that you learn in practice.

This is what usually working on securing/hardening a website means. Now that checklist depends a lot on the kind of application/website you are trying to secure and how much you want it to be safe (keeping in mind the fact that there is no such thing as 100% secure).

 

Thank Mohammad, Arber Braja :) This series is quite complicated so I just want to keep the first part short then link to detailed parts later. The idea of this part is just a list of buzzwords about web security

 

wish you could include more explanations but anyway that was good to know, thanks Hoang.

 

Not sure if I can paste some github links here, but if you need some explanations about these topics you can check this out - github.com/sindresorhus/awesome#se...

 

Thanks a lot for the link :)