There’s been a lot in the news in January about a Saudi hacker publishing Israeli credit card numbers, and then an Israeli hacker retaliating in kind. The only thing to be said about this is that it is good for Israel. The whole thing. Especially the publicity it received in the media here. It simply means that we will be getting better.
Why? Because now we can actually improve the commercial sites – these are the ones that are probably the most neglected of all.
In a recent report by McAfee about the perceived security of a country, Israel received the top scoring, along with Finland and Sweden. This is probably due to the amount of attacks held against Israeli sites. I can tell you that security is no fun at all – there’s a lot to be done there and not a lot of people who actually know how to do it. During 2011, I had the opportunity of undergoing a security analysis of a service developed. Although security had been taken into account, a few dozens of issues were still raised and had to be dealt with.
I think there isn’t enough knowledge in that area.
I’d like to offer my small contribution.
Learn more about security. No need to be an expert, but I think that the range of security related topics you’ll need to know is growing rapidly.
So how can you beef up your knowledge in this area?
1. Take the basic course on security at the university
My own base of knowledge about security comes from a university course I took in my second year – that was more than a decade ago and then some. It skimmed through the basics of encryptions, hashing, keys and such. From there it went on to algorithms: how you use the basic building blocks of security to build a process or a procedure with them. It ended with an important lesson:
While the algorithms and their math is probably solid, when you start putting them into a system things break down dangerously. You can’t be too careful in how you utilize security.
2. Read Troy Hunt
Today? The best resource I’ve found is Troy Hunt’s blog. He usually covers a lot of ground in that area and a way that is easy and simple to chew for developers. He also does it so well, that it is just enjoyable to read.
If you decide not to follow his blog, at least make sure you read his ebook called OWASP Top 1 for .NET developers – you don’t even need to be a .NET developer to read it or use its best practices. It’s a gem.
3. Use a Framework
Developing a website? Don’t do it from scratch on your own. Use a widely used and supported framework for it. It can be WordPress, Django – whatever. Just make sure it is a framework that takes security seriously. This will probably solve a lot of the open issues you see out there.
If you are developing a site, or maintaining one for your business, I suggest you do the following. Especially if you are going to have your user’s information stored in it (ecommerce sites come to mind).
1. Don’t get a Proprietary Site
When you outsource your site’s work, do it to a company that knows a thing or two about security. Make sure they are not investing time and effort on building stuff from scratch or even using proprietary frameworks that they have developed in the past: go for those that use ready-made frameworks that take care of security inherently.
Doing this will ensure at least that there are more people who deal with security that use the framework and get the security threats fixed in there. Getting something proprietary means you will be reliant on the people who develop it to fix security risks in the future as well.
2. Don’t Ever Store Passwords in the Clear
Or even hashes in a simple manner. Give it to the experts (relevant modern frameworks) to store that thing.
Can’t stress this point any further. Do it even if you don’t hold any important information in the site – people often use the same password for a lot of sites, so getting it on one site can offer access to other sites.
3. Don’t Ever Ever Ever Store Credit Card Numbers
Not in the clear. Not encrypted. Never.
Amazon or Pay Pal can do it, but not you. It is too much of a risk.
The way to do it today is by using third party payment gateways such as Tranzilla or Pay Pal. For a fee, they will take the hassle of doing the transaction in a secure manner without your site ever having to deal with the credit card numbers at all.
Always make sure you upgrade the site to the latest version of the framework. This blog uses WordPress. I use the latest version and upgrade about a week or two after another one is released. And this site doesn’t even have critical information in it.
If you are running a real gig – treat it that way.
5. Bring a Real Expert
Bring a security expert that can do a review of the site. Its architecture. The way it is handled and used.
If it is important enough – let him do some real vulnerability testing on the site. It will cost you, but it is worth it.
I know a few guys who do that – contact me if you need such a service or thinking of how to tackle these issues.
If I missed anything – feel free to add.