Web app security for non-nerds

Quinn Daley
Aug 25, 2017 · 9 min read

Oh hey! It’s been a long time since I posted anything on here! Inspired by a question over on Freelance Heroes, I thought I’d write a post about how to keep your web apps secure when you don’t have nerds on your payroll.

Web apps: it’s almost impossible to run a business now without one. Even if your business just has a basic website, chances are it runs on something like WordPress. If your business is in charge of anything on the web that you or your customers can log into, then this article is for you.

“But no one would want to hack me!”

I’ve heard this a lot — people saying that security for their web apps isn’t important because they don’t have any corporate enemies or they’re just too small-time for any attacker to care about compromising their site.

Unfortunately, that’s not how these things go down. Web security crimes are sometimes targeted, but they’re often opportunistic: a random search for vulnerable sites could easily show you up to an attacker. We tend to think people need a financial motivation to do things like this but sometimes attackers take sites down or leak data just to prove they can do it.

Even if you’re not too worried about the consequences of being hacked, you should still care about security because otherwise you could become part of the problem. Compromised servers can be used to launch attacks against other sites, so if you let attackers in, they could be using your money to finance their attacks against bigger targets.

How web software gets hacked

xkcd “Exploits of a Mom

There are a few common ways that web software gets attacked. This is by no means a comprehensive list, but these are perhaps the most likely to happen to your business.

1. Vulnerabilities in the software

Software has to be created by human beings, and just as the people who make it are not perfect, the code is usually not perfect either. When software has a design flaw that allows people to gain access to a user or data without permission, it’s called a vulnerability. Perhaps the most well known kind is the “SQL injection vulnerability” exploited by the Mom in the famous xkcd comic above.

When vulnerabilities are discovered by the good guys (such as people who work for security companies like my former employer) they usually give the maker of the software a few days to fix them and issue a patch before they tell the world about them. This, in theory, keeps things safe by ensuring everything is patched before the bad guys find out.

Sometimes the bad guys find out first, and so makers have zero days to fix the issue before it starts being exploited — these kinds of issues are called zero-day vulnerabilities.

Software like WordPress that supports extensions or plugins adds another complication. Plugins often have access to everything inside the app, but they can be written by very novice developers, or be abandoned by their maintainers before the vulnerabilities are discovered. Even if your system is fully patched, an unmaintained or poorly written plugin could still expose you to attackers.

2. Denial of service

A web server can only handle so much traffic at once before it buckles under the pressure, usually because it has run out of RAM and CPU power to service all the users in a timely manner. This is known as denial of service (DoS).

Denial of service can happen for legitimate reasons — like your site going viral on the internet — or it can happen because someone takes it down by flooding it with requests, often from many other locations such as the compromised machines of people with poor security. If it’s coordinated across many attacking machines it’s called a distributed denial of service (DDoS).

This is one of the easiest kinds of attacks for someone to engineer, and pretty much any techie with a grudge can give it a go. It is particularly effective against sites that run on a single server, which includes the vast majority of WordPress sites.

3. Poor passwords

Somehow we’ve all got it into our heads that decades-old advice about passwords is still valid in today’s climate. We tell ourselves that a password like ILov3TP is a good password, when in fact it’s dead easy for someone with a good password breaker to crack.

The most important factor in password security by far is the length of the password. The longer it is, the higher the entropy and the longer it will take a password breaker to crack into it. But all bets are off if your password can be guessed by something called a dictionary attack. Password breakers, instead of trying random strings of characters, will try words from the dictionary, movie quotes, etc. first. And yes, they know to substitute a 5 if there’s an S.

Remember, the attacker only has to compromise one user of your web app to get access to everything that user has access to.

4. Social engineering

At its most basic, social engineering is where an attacker asks someone for their password and that person hands it over, giving the attacker full access to their account.

Sounds like something only an idiot would do? Imagine you get a call from someone who says something like “sorry to bother you — I’m here with <your boss’s name> and she needs your WordPress password so she can correct a mistake on your website that is costing her hundreds of pounds”. In that moment, you might think “I don’t want to risk upsetting the boss!” and hand over the password. Many people do!

5. Unencrypted data

Encryption is a funny one because the general public understanding of it is very different from the reality. The most important kind of encryption on the web is SSL encryption. This kind of encryption ensures that only you and the web app can see what you’re doing — any attackers will only be able to see that you’re connected to the app and not what you’re doing.

By contrast, sites without SSL encryption broadcast everything they’re doing all over the place. Data has to get across the internet and anyone who is listening at any of the points along the way could steal anything you say or anything the web app says to you, including your password or any cookies that are used to keep you logged in. If you’re connected to public wifi, people in the same room as you can easily see everything you’re doing.

As a rule, any site that allows people to sign in or provide any kind of data must be using SSL. That means it should have https:// at the start of its URL and show a green padlock in most browsers.

The good news is that soon all the major web browsers will start alerting users when they try to type something into a site that is not using SSL. The browser makers are hoping this will get people into a better mindset about why this is so important.

Other things

There are lots of other things people can do to attack your site, such as cross-site scripting (XSS) and email forgery. This article’s already really long so I’ll leave these out; I’m just making sure you know that security is a large and complex field.

What you can do about it

SSL: get it sorted now

If your web app doesn’t use SSL (if the URL starts with http:// then it doesn’t) you should get this sorted immediately. Your app is leaking data constantly if it doesn’t use SSL, and soon all your users will know this when browsers start alerting them of this security hole.

SSL is complex (all good encryption is complex!) and even many web developers don’t fully understand it. But that doesn’t mean it’s not important!

You’ll probably need to hire someone to fix this for you, but if you want to try it yourself, here’s a really good step-by-step guide written by Google.

Keep your system patched

Make sure your system is kept up to date whenever new security patches are released. You need to think about:

  1. The operating system running on your server — your web host may take care of this but if it’s a VPS you’ll need to do it yourself. Most OS distributions have a mechanism for automatically applying security patches. In Ubuntu it’s called unattended-upgrades.
  2. The web app itself. If this is something like WordPress, it will alert you in the dashboard if it’s out of date. You can set WordPress to automatically apply updates and without intervention from a techie. This isn’t the most secure approach, but it’s better than not patching it at all!

Be wary of dodgy extensions

Be very careful which extensions or plugins you install into your web app. Make sure you pick plugins that are popular and maintained. A good way is to look to see how many comments people have posted on the plugin’s pages recently, and how recently the latest version came out.

Keep away from plugins that haven’t been updated in a while, especially if the developer seems to have gone quiet. These are the ones that won’t get patched if a vulnerability is discovered.

Remember that unless your web app sandboxes plugins, they typically have access to the whole app and database, so they are a good way in for an attacker, even if they do something superficially very trivial.

Use a password manager

Make sure you use a different password for every site and app you use — that way an attacker who breaks into one of your sites can’t get to any of the others. And remember that anyone who breaks into your email has got access to everything, because they can just hit “forgot password” on every other site.

You can’t be expected to remember hundreds of passwords, so don’t. Use a password manager like LastPass, which can generate long and complex passwords for every site you use, and you only need to remember the one password you use to log into LastPass (which should be long and complex but also memorable!)

Try not to share passwords with people — create separate accounts for them. If you absolutely have to share a password with someone, always do it through LastPass’s sharing feature… don’t send it to someone in an email or text!

You can check how easy your password is to crack at How Secure Is My Password?

Teach your team about social engineering

Make sure everyone knows about social engineering attacks. That they should never need to give their password or other sensitive information to an unknown caller or emailer, or at the very least to ask you before they do!

DoS/DDoS protection

If your app runs on a single server, then it’s very vulnerable to denial of service attacks. There’s not much you can do about this fact, but you can add a layer of protection. For example, you can put your site behind Cloudflare, which has DDoS protection (it tries to shut down floods of traffic on your behalf) and it will serve up cached versions of your pages to your users if your app does down.

Or hire a professional!

Ultimately, there’s only so much security you can get from an off-the-shelf solution like WordPress. These tools are designed to be all things to all people and so they typically have many areas of code that you might not even be using but can still be attacked. This is especially the case if you’re trying to push the WordPress solution to its limits by installing many plugins for additional functionality.

I would say this, but hiring a full-stack developer like Fish Percolator will result in a potentially much more secure app, because it will only do the things that you want it to do. Every feature will be designed together by you and the developer. Of course, these apps are also based on existing technology so it’s important to have a good CI system in place that can spot when things need patching and alert you. Developers like us would walk you through this and teach you how to use it.

And any app can benefit from penetration testing. A pen tester is someone whose job it is to try to break into web sites. Hiring someone like this will show you where your weaknesses are and give you the information you need to find someone to fix them.

I hope the above advice has been helpful. If you have any questions or comments, leave them below! If you need to talk about your web app security with someone who speaks in plain English, the Fish Percolator contact details are on our website.

)

Quinn Daley

Written by

Quinn is the main developer at Fish Percolator: changing the world in small ways through technology. https://www.fishpercolator.co.uk/

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade