Code Runners Blog
Published in

Code Runners Blog

Security considerations when developing web applications

Information security is a hot topic lately, with GDPR around the corner — and worse yet, Internet-enabled systems (basically, all contemporary computing devices) under the ever-increasing risk of security compromise.

Yet enhanced security is not an event, but rather a process — a long, error-prone and high-stake one. Still, if proper controls are in place and a multi-layered approach is employed, adequate information security is achievable.

As a software consultancy, data security is a priority for Code Runners. Here’s our approach to ensuring security compliance (e.g. ISO 27001, HIPAA in select cases) during development. Please note, this is neither the complete list of measures, nor does it guarantee 100% secure code. It merely acts as an initial draft of the security controls and measures when starting a new software project. While consisting of basic measures, the list should also act as a checklist — should some of the controls be skipped, that might lead to a significant loss of privacy or a fully-fledged security compromise of data, service, platform or any combination thereof.

Foreword

Security is important, and you can’t practice these guidelines without understanding them. Make sure you understand each guideline, its reason for inclusion in this list, and how to follow it.

(Mostly) personal security

Passwords

  • Use a unique password for every account you create.
  • Use a tool like pwgen or 1password to generate random passwords.
  • Use a tool like GnuPG or PasswordSafe to encrypt passwords if you need to share them with somebody.

Encryption

  • Ensure disk encryption on your laptop.
  • Use a PGP signature in an email if you want somebody to trust that you wrote it; use PGP to check email signatures if you want to know who wrote it; use PGP to encrypt emails if you want to be sure nobody but the recipient is reading it. Use PGP as much and as often as possible.
  • Assign ultimate trust privilege for your own keys only.
  • Assign full trust for keys you have verified in person or via a secure video chat.
  • Don’t share your private key with anyone, not even services like Keybase.
  • Keep at least one backup of your private key and revocation certificate in a secure location, such as an encrypted and always-on-your-keychain thumb drive.

Physical

  • Lock your device whenever you’re not directly in front of it
  • Don’t leave your devices unattended and / or unlocked (e.g. Kensington lock)
  • Consider installing a tracking device, possibly a remote data wipe tool such as Prey.
  • Use a monitor privacy filter for each screen in use.

Secure development

Transmitting Information

  • Don’t accept passwords or session tokens over HTTP.
  • Use HTTPS for all web traffic.
  • Use HTTPS in the beginning; it’s harder to introduce later.
  • Use HTTPS redirects for HTTP traffic.
  • Use HSTS headers to enforce HTTPS traffic.
  • Use secure cookies.
  • Avoid protocol-relative URLs.

Storing Information

  • Don’t ever log passwords.
  • Don’t ever store passwords in plain text.
  • Application passwords need to be saved as environment variables, not within configuration files
  • Don’t hash passwords using a reversible cipher.
  • Don’t hash passwords using a broken cipher, such as MD5 or SHA1.
  • Always use salting and preferably interim hashing (triple salted hashing)

Preventing Vulnerabilities and Regressions

  • During active development of a codebase, track security alerts in Continuous Integration builds.

Secure deployment

Many businesses depend on cloud-based application development lately, effectively transferring any platform-related security risks to the cloud vendor. While cloud deployment is an economically efficient solution for very small and very large applications, we’re still strong believers of self-hosted applications where possible.

General recommendations

  • Ensure version stability of deployed code — make sure your deploys are validated as much as possible before deploying; critical bugs may happen, but take your time to ensure your next “hotfix” version not only solves the issue, but does not introduce new ones.
  • Ensure secure communication when deploying — encrypt messaging over the transmission media.
  • If you persist a secure connection between your server environment and your office, ensure a DMZ exists between both networks, with bilateral rules on both ends.
  • Ensure Intrusion Detection Systems and Intrusion Prevention Systems are in place in all network segments; hardware firewalls, preferably with stateful packet inspection are industry standard.
  • Collect and aggregate logs from all systems and services separately- e.g.using services like Splunk
  • Run event correlation and smart analytics on the log cache to detect intrusions — preferably leveraging machine learning — or use an external service like Odyssey Clear Skies SIEM
  • Ensure systems at minimum run an automated self-patching procedure

Initial scanning and penetration tests

When delivering an initial version of any software project, we like to validate the quality of our work thoroughly. While still in pre-production, we do an automated application scan, followed up by a manual pen test. OWASP Top 10 Vulnerabilities obligate additional attention. Here’s the rest of the list:

  • Once production is deployed, issue an automated vulnerability scan, followed up by a manual penetration test
  • Rigorously document and follow-up on any red and yellow discoveries
  • Schedule continuous bi-weekly automated scan and a quarterly penetration test.

Conclusion

If you’ve reached so far — thank you for reading through. As mentioned already, this is not a complete list of measures, but rather a minimal collection, acting as a checklist. More specific measures are usually employed on a case-by-case basis, especially when dealing with private or health data.

In any case, we’d love to hear from you: any comments are welcome. We’d love to improve our process and get your perspective on security sufficiency when dealing with application development in 2017.

Acknowledgement

Parts of this checklist are inspired — or initially published — by Thoughtbot. Make sure to thank them too!

Thanks for reading! If you liked the post, please let me know by clicking the 👏 below.

If you want to learn more about what we do, check our website (www.code-runners.com) or follow us on Twitter. You can also sign up for our newsletter, if that’s your thing.

--

--

--

Code Runners is a team of product development experts, passionate about delivering value for our customers and the wider community. We strive to excel at what we do, while having a bit of fun along the way. Learn more at https://www.code-runners.com.

Recommended from Medium

Understanding Remote Work Security

On Privacy

0110100001100101011011000110110001101111

BUILDING INTRUSION PREVENTION SYSTEM (IPS)

POSSIBILITIES OF MOBILE APPLICATION OF S-WALLET The S-wallet mobile app has a lot of…

ctf.hacker101 — Postbook

What are the security and reliability strategies for a smart asset monitoring solution?

MAM Case — Passcode Required on Device with Application Protection Policy when org data encryption…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rumen Manev

Rumen Manev

Helping companies create beautiful products people love using @ melewi.net

More from Medium

Setup Samsung ML-3312ND Printer on Debian10

Bypassing password protection and getting a shell through UART in NEC Aterm WR8165N Wi-Fi router

SFTP Setup using Password and Key based 2FA Authentication

Implementing Security in SDLC