Thursday, July 15, 2010
hosting.jpgHosting and Web Apps
The Obscurity of Security

Quintin from SiteHost and Mike from Web Drive cover horror stories they've uncovered in website code when they've been rung up to fix something.


Security used to be the domain of systems admins and hosters, but developers have added more fancy features.

Website owners and developer blame their hosters when their sites are defaced.

What if security isn't part of the spec?

Make it part of the spec.

(Shift jobs if management won't let you make it part of the spec.)

Security starts early: Planning and design phase

- Research, talk to security people
- Get your team some security experience
- Reduce the attack surface
- Keep it simple: Don't build a CMS for a 5 page site
- Don't have an admin area, or use defense in depth to protect it

Not all apps are equal:

- Sometimes buying is better than building
- Everything has security holes
- Pick something good
 - How does vendor approach security?
 - Check the apps security history:
   - If there are no holes, beware. If there are silly problems, beware.

RTFM:

- Read the OWASP top 10
- Read the OWASP books
- Read the install documentation and follow the "After installation" docs.
- e.g. Think about what you do when you unserialise stuff; don't trust untrusted user data

Development:

- Attack surface reduction
- Validate all your input
- Use source control, and know how it works.
- Watch out for rolling .svn, .git, .cvs directories: might show directory lists, source code, usernames
- svn checkout is an invalid installation method
- Look at all the files that are there! Especially free / open source apps you download

Data management:

- If you don't need it, don't store it
- If you need to keep it, how do you need to access it?
- Hash (with a salt), don't encrypt
- Keep production and development seperate
- Keep tabs on your data - size, growth rates, is data used by the code? Get rid of it.

Password strategy:

- Don't reuse credentials
- Weak usernames and passwords for db - common to see dbname = username = password
- Watch out for old staff members and old passwords

Filesystem security:

- Watch out for apps that use /tmp and friends, or require special directory permissions
- Learn how to chmod correctly. x is good enough for directory traversal.
- Watch out for log files in web root
- Beware test files eg phpinfo
- Don't leave old crap on your filesystem: Session files, template caches, zip files

Deployment:

- Automate as much as possible
- Don't blindly follow installation instructions
  - Read them when you select the software, and understand what it's doing
- Don't use hosting control panels if you don't need them - they have high level access to the underlying system, and greatly increase your attack surface
- Use SSL for the content not just for the login pages
- Keep your websites separate - different trust level = different credentials

Backups:

- Keep your own backups - don't trust the providers ones. They protect from a catastrophic failure, and you could lose 12-24 hours of data
- Test them before you need to use them

Clouds:

- Don't ever use remote includes - including some third party code in your app!
- Minimise remote resource usage:
  - How does your site react if the remote resource is gone?
  - Take your own copy of AJAX libraries
- Do you need third party analytics for everything?
- Outsourcing data storage: What data are you uploading? Where is it hosted? Is it safe? Who has access to it? How are backups stored, and how long are they retained?

Software lifecycle management:

- Have a process for decommissioning, make sure you delete data and files that aren't used
- Make sure software is up to date
- Who monitors upstream releases? How quickly do you make patches? Who makes the call?

Monitoring:

- Monitor changes to your website content and uptime
- Check external access. Has your whitelist stopped working?
- DNS: Remember that DNS is an external dependancy. Has your domain been hijacked?

Politics:

- Make security a part of job description - managers and developers need to make security a priority and make it part of KPIs
- Get buy-in from non-technical staff

Talk to your hosting providers:

Talk to their security guys well in advance. Make sure your specific requirements are getting through to the technician who is doing the work (don't trust the salesperson).

Remember: It's your job to make sure it's working

Questions:

Including KPIs is a good thing, but you need to give developers the time to learn.

Comments are closed.