Security for Developers

Here’s the slides from my Technical Brownbag today at Gangplank.

Thanks for having me, guys! Please comment on your thoughts or anything you have to add.

Edit: One of the biggest security holes is the HTTPS issue. Please please PLEASE install and use an SSL cert on every webserver you run. WordPress, webmail, and anything else you run on your server is woefully insecure without HTTPS.

Also: Make separate database users for each app, and make their passwords at least 10 random characters. No sharing of users or passwords!

Security for Developers presentation slides (PDF)

Here’s the raw text of the slides:

Security for Developers
in which code monkeys become l33t code monkeys
ENCRYPT DEM PASSWORDS
Every time you store a password in plaintext, a baby cries.
True Fact.
Use one-way encryption (hashes) to store passwords that you don’t need to know.
Can’t be un-hashed
To authenticate, encrypt and compare.
MD5(“123456”) = e10adc3949ba59abbe56e057f20f883e
if (e10adc… == e10adc…) then authenticate!
Use newest hash available.
MD5 😦       SHA1 :/      SHA2  🙂
Every time you store a password in plaintext, a baby cries.
True Fact.
Use one-way encryption (hashes) to store passwords that you don’t need to know.
Can’t be un-hashed without a cracking program
To auth the user, encrypt what they type and compare to the encrypted value in the DB.
MD5(“123456”) = e10adc3949ba59abbe56e057f20f883e
if (e10adc… == e10adc…) then authenticate!
Use the newest, strongest hash algorithm available.
MD5 bad,   SHA1 meh,   SHA2 good.
WHERE U SAVIN DEM CONFIG PASSWORDS?
No passwords in source code!
Unless in a dedicated file
Plaintext in wwwroot = 😦
Source gets shared, security leaks
Try ENV vars or files outside of source dir
If they’re in your server, you’re screwed anyway
Learn up on LINUX security (chmod, chroot, ps)
Don’t be putting passwords in source code!
Unless it’s a dedicated file like environment.rb
Plaintext in your wwwroot can be accessed remotely if your script engine doesn’t parse it (PHP dies, FTP, etc)
Source sharing = security leaks (github, internal dev)
Consider environment variables or config files outside of source directory
If they’re in your server outside of wwwroot, you’re screwed anyway
Learn up on LINUX security (chmod, chroot)
HOLY CRAP SSL
Sensitive info without HTTPS?     :'((((((
301 redirect people to https:// right away, why not
Transmitting via FTP, HTTP, SMTP?      😦
Use SSH, HTTPS, SMTP-TLS instead.
Thanks for your passwords, users of a noob webservice!
Can users view/submit sensitive info without HTTPS?
Hell just redirect people to https:// right away, why not
Are you transmitting any data via FTP, HTTP, SMTP?
HOLY CRAP INSECURE!
Use SSH, HTTPS, and SMTP-TLS instead.
Thanks for your passwords, users of a noob webservice!
INJECTION?!?
Text parsing is The Devil.
Type “WHERE user=”+input.user+” AND password=”+input.pass
— YOU WILL EXPLODE —
My username is  %1%’;DROP TABLE users —
PRAY MORE
HTML INJECTION??!?!
Also pray nobody posts something like:
Hey everyone! «iframe src=”http://sexyvirus.com” /» Cool huh??
Aw man, Javascript injection?
Enjoy your:
That’s what she «script src=”http://virus.com/dead.js” /» said.
FILTER DAT SHIZNIT!
Use purpose-build framework functions for fewer gray hairs.
Text parsing is The Devil.
If you write “user=”+input.user+” AND password=”+input.pass
Pray that noone makes their username %1%’;DROP TABLE users —
USE FRAMEWORK FUNCTIONS
HTML INJECTION??!?!
Also pray nobody posts something like:
Hey everyone! «iframe src=”http://sexyvirus.com” /» Cool huh??
Aw man, Javascript injection?
Enjoy your:
That’s what she «script src=”http://virus.com/dead.js” /» said.
FILTER IT OUT!
Use a purpose-build framework for fewer gray hairs.
mysql_escape_string, fstring, etc
FIREWALLS & UPDATES
Open IP ports are open orifices. Keep your orifices hidden!
Hackers are scanning 24/7
Shut down any ports you don’t need
Keep your orifices clean! Update your software.
Can be attacked within days of a discovery
Open IP ports are open orifices. Keep your orifices hidden!
Hackers are scanning 24/7
Shut down any ports you don’t need
Learn netstat, iptables
Keep your orifices free of infection! Update your software.
Exploited software can be attacked within days of a vulnerability being discovered
Learn yum update, apt-get update
THANKS
Slides @
willbradley.name
Advertisements

7 thoughts on “Security for Developers

  1. Thanks Ryan! bcrypt is definitely useful for storing database dumps securely. Blowfish is a symmetric cipher, which means that the original data can be recovered. For passwords, however, you will want an asymmetric hash like SHA2– the original password can't be recovered, only compared.Changing SSH to a port other than 22, and disabling root logins via SSH, is good advice, but don't let that fool you into relaxing your security elsewhere. Basically it just weeds out portscanning bots– anyone who's run a blog knows that bots are 90% of the problem but the remaining 10% is still a big concern when you're talking about a dozen attempts per second.

  2. Thanks Ryan! bcrypt is definitely useful for storing database dumps securely. Blowfish is a symmetric cipher, which means that the original data can be recovered. For passwords, however, you will want an asymmetric hash like SHA2– the original password can’t be recovered, only compared.Changing SSH to a port other than 22, and disabling root logins via SSH, is good advice, but don’t let that lull you into relaxing your security. Basically it just weeds out portscanning bots– anyone who’s run a blog knows that bots are 90% of the problem but the remaining 10% is still a big concern when you’re talking about a dozen attempts per second.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s