Do you care about web security?

Posted by Filip Ekberg on 21 Sep 2012

I was once put in a project where a lot of the architecture and development was already in place. Immediately when I started working with the project I gave the other team members my thoughts on improvements, some of them regarding testing and some of the regarding security. Last week we focused on the testing, so this week, let us talk a little bit about security.

One of the biggest concerns I had about this project was that usernames and passwords were stored in clear text; this gave me the shivers. I talked to my team members and everyone agreed that this was Very bad. I have no idea why someone would design a login system with username and password where the information is stored in clear text. Or even in a way where passwords where stored in anything else than a hash.

But before I could change this, I had to get a go from the customer to put a couple of hours on changing everything in the system. When doing so, something scary happened. I got this response from our customer:

Don't put any time on security, we're going to get hacked anyways and that means free media.

When you hear something like that, it's obvious the person does not know a lot about IT security or marketing in general. Assuming that the system would get a lot of media slots because of a major leak, the cost to get your reputation up again would be much greater than what it would have been if you just invested in security to start with.

Have you ever experienced something like this as well?

A lot of systems get hacked quite often, but when they do get hacked, it's pretty darn important that customer data is intact and not easily accessible.

Design your system assuming that you will be attacked by hackers. I think this is quite important, don't assume that hackers won't care about you. I would even advise paying a good hacker to test your security to find vulnerabilities.

Revise your web security

Always take time to think about security, do it rather sooner than later. When you do think about security, it can be quite nice to fall back on some best practices or rather a check-list of common things that developers do wrong.

To help us all out with this, there's a project called "The Open Web Application Security Project". This project has a Top 10 list of most common security problems on web sites. Here's the list:

  1. Injection
  2. Cross-Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross-Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Insecure Cryptographic Storage
  8. Failure to Restrict URL Access
  9. Insufficient Transport Layer Protection
  10. Unvalidated Redirects and Forwards

Follow the OWASP Top 10 list, ensure that your application is tested against each item in the list above. This is at least one step in the right direction.

Security is often a sensitive subject, but I find that most most organizations that don't want to dicuss security don't think that they have a secure enough system; transparency is key.

Is security a key when you develop applications and is your company transparent when it comes to security?

OWASP Top 10 is a good place to start, but it's just the tip of the iceberg. If you have any stories to share regarding security or any tips & trix along the way, feel free to leave a comment!

comments powered by Disqus