Why do some car drivers go for decades without an accident, and others seem to be involved in mishaps more frequently? Typically, it’s a matter of good driving habits. Lane checking, signalling, and awareness of space are how millions of potential collisions are avoided daily, from simple roads to complex and stressful highway driving. Good driver’s don’t complain that these habits take away from the driving experience. It’s a natural part of it.
Everyone building a commercial website is under pressure to get their product finalized on time and on budget. Modern web sites are often built with an underlying software framework which enables high levels of productivity because developers no longer have to re-invent the wheel every time they want to perform common tasks. Modern web sites are also increasingly taking advantage of the cloud, especially for storage.
Are there good habits to help web developers build their web sites more securely? We could consider the entire ‘OWASP Top 10 ‘Most Critical Web Application Security Risks’, but for now let’s just consider some lessons learned from two recent website breaches.
Equifax – Lessons to be learned on usage of web frameworks
Equifax announced on September 7 that they suffered a breach involving customer information, due to a web site vulnerability. Regardless of the details of the breach, we need to step back and consider good habits related to web development frameworks in general. Developers will always rely on the framework to provide the functionality advertised on the tin. Developers should not rely on the framework to provide perfect security. What does this mean as an operational habit? We all know that patching web technologies is critical, but security conscious developers should know that patching a web framework may not be as simple as running an update.
The patch for the vulnerability fundamentally changes the way that inbound data is treated. That means web site code may need to change. Code changes are costly, especially in terms of time to patch. Inputs from the public web need to be evaluated carefully, and treated as always hostile and ‘guilty till proven innocent’. The input could be carefully crafted to exfiltrate data or cause denial of service. To make your code less fragile to inbound data handling changes, take inventory of what you are handling. Your web site probably handles a finite set of class and data types, so it is best to white list those types and reject the rest. Don’t be tempted to keep a long and growing black list of rejected types. When that handling takes place within the ‘black box’ of the framework, it is best to utilize protocols that enable integrity checks and also authentication and encryption to minimize public exposure.
What are the good habits to be learned when using web development frameworks, even before patching?
- Treat all inbound traffic as hostile
- Evaluate data and class types with white listing
- Seek tools that enable authentication, encryption to minimize public exposure and use integrity checking
RNC Voting List / Verizon – Amazon AWS S3 Configuration
In July 2017, it was reported by Upguard that data related to over 198 Million US voters was breached. Additionally in July, 6 million Verizon customer PIN codes were breached.These breaches and a string of others were caused by a misconfiguration in security settings related to cloud storage. The breached data was configured to be publicly available and was therefore accessible to anyone who had an Amazon AWS account (available for free) and the knowledge to browse a specific site. This is the opposite of all of the ‘highly sophisticated, zero day’ attacks that we hear about.
Locking doors is a good habit that most people have. Web developers and operations staff need to have the same habit to ‘lock the doors’ of their infrastructure. Some lessons learned are:
- Take inventory of security configuration settings. Understand them. Use configuration change management best practices and tools
- Treat your developer and administrator credentials as a target. That means using strong multifactor authentication for administrating cloud configurations. Not all multifactor authentication is created equal, so choose carefully.
The complexity and pressures associated with modern web development are a cause for mistakes and oversights. Thankfully, a lot of these mistakes can be avoided by good habits which don’t cost a lot of time or money. Treat public facing web properties with the same discipline that a car driver uses to avoid being side swiped. If you are developing or administrating a web site that handles sensitive data, think of yourself more as an airline pilot and co-pilot who don’t just rely on remembering habits, but actively utilizes check lists and repetition to avoid human error. Mistakes of the kind we have seen recently can be avoided.