• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Codemotion Magazine

Codemotion Magazine

We code the future. Together

  • Magazine
  • Dev Hub
    • Community Manager
    • CTO
    • DevOps Engineer
    • Backend Developer
    • Frontend Developer
    • Web Developer
    • Mobile Developer
    • Game Developer
    • Machine Learning Developer
    • Blockchain Developer
    • Designer – CXO
    • Big Data Analyst
    • Security Manager
    • Cloud Manager
  • Articles
    • Stories
    • Events
  • Sign In
Home » Dev Hub » Security Manager » Se7en deadly sins of web security
Security Manager

Se7en deadly sins of web security

Codemotion and Facebook organized the Tech Leadership Training boot camp, heres a personal reportage from one of our attendees.

Last update April 3, 2019 by Toby Moncaster

Web security is a topic that just won’t go away. Every day we hear the latest revelations – look at the latest scandal with Marriott admitting over 500 million customer records have been stolen using a breach that had been active since 2014!
Dave Lewis, a CISO at Duo, now part of Cisco, has over 15 years’ experience in the security business. As he says, he’s seen it all, and has learnt from his own mistakes. But he is depressed to see companies make the same mistakes time and again.

Injection

Injection attacks have been around since forever, yet they still cause issues. In particular, SQL injection attacks are often all too easy as highlighted in an early XKCD cartoon.

XSS

Cross site scripting allows attackers to do bad things to your site, from interface changes and code injection to hijacking and redirecting traffic. There are three classes of XSS attack. Reflected attacks allow attackers to do things like bring up their own popups; Stored attacks are where attackers store their script somewhere on your server; DOM attacks modify the local environment in the browser. All these attacks have been known about for years and protecting against them is relatively straightforward. For instance, using content security policies and frameworks such as Ruby on Rails which solve almost all XSS vulnerabilities.

Configuration

Often vulnerabilities are caused by misconfigurations or plain lack of common sense. As an example, Dave told us about a (nameless) Canadian company he was working for. On one page he found hidden in the comments “User admin; password admin”. Lo and behold, when he entered these they were indeed the admin credentials for the whole site. Clearly, they had been put in the source during development, but no one had thought to edit the source post-release, or to update the password.

Authentication

In Dave’s views, passwords have long-since passed the end of their useful life. All of us reuse passwords across multiple services and many people use plain dumb passwords. The problem is that a password just proves that you have the password, not that you are authorized to have and use it. The solution is multi-factor authentication and a move away from dumb passwords. Fortunately, as of April this year, WebAuthn has been adopted as a standard, which should help make this easier.

Broken Access

One of the worst sins is to fail to secure your site properly. A couple of years back, Dave was dealing with a series of attacks by the so-called Lizard Squad. Unbelievably he found that they had failed to secure their own site with a .htaccess file. As a result, he was able to find details of all the members and was able to shut down the attacks. Open ports are another easy attack vector to deal with – on the day of the conference, Dave found over 34 million vulnerable open ports across Germany, 1.9 million of them in Berlin.

Known Bad

Known Bad is a serious problem for many companies. To remain secure, it’s essential to keep your software updated against known attacks such as Heartbleed. Dave pointed us to a few useful tools including synk.io and wpscan.org. He also suggested it may be worth testing your own site using pyfiscan, a tool included in Kali Linux (a version of Linux for pen testing).

Logging (or its lack)

The final deadly sin is poor logging. The fight against hackers is never-ending, and fundamental vulnerabilities like Spectre and Meltdown keep being found. So, even with the best security you may find yourself vulnerable. This means it is essential to make sure you log everything you can. Then when you have a problem at least you can track it back properly.

Tagged as:Codemotion Berlin

Microservices from dev to deploy, part 1: getting started with Helidon
Previous Post
Find, motivate and retain talent: the CTOs speak
Next Post

Primary Sidebar

Whitepaper & Checklist: How to Organise an Online Tech Conference

To help community managers and companies like ours overcome the Covid-19 emergency we have decided to share our experience organizing our first large virtual conference. Learn how to organise your first online event thanks to our success story – and mistakes!

DOWNLOAD

Latest

What are the Main Areas of Development for Programmers to Land Their Dream Job? Codemotion

What are the Main Areas of Development for Programmers to Land Their Dream Job?

Backend Developer

How to Contribute to an Open-Source Project

How to Contribute to an Open-Source Project

Backend Developer

6 Great DevOps Metrics - and How to Choose the Right Metrics

6 Great DevOps Metrics – and How to Choose the Right Metrics

DevOps Engineer

Codemotion Interview with Chad Arimura

Thinking Like a Founder – meet Chad Arimura

CTO

DesignOps and UX Engineers

Move Over DevOps! Time for DesignOps and UX Engineers

Designer - CXO

Related articles

  • The Lifecycle of a Remote Code Execution Security Incident
  • Does open source software have a security problem?
  • What a Security Engineer & Software Engineer Learned by Swapping Roles
  • How to Prepare IT Infrastructure For Coworking Spaces
  • So you want to work in cybersecurity?
  • Peter Todd: Helping people to solve their problem with Cryptography
  • Cybersecurity is as much about social engineering as bugs
  • Life-cycle of a security incident: from detection to response
  • 5G: what’s in it for developers?
  • 5G: what’s in it for security?

Subscribe to our platform

Subscribe

Share and learn. Launch and grow your Dev Community. Join thousands of developers like you and code the future. Together.

Footer

  • Learning
  • Magazine
  • Community
  • Events
  • Kids
  • How to use our platform
  • About Codemotion Magazine
  • Contact us
  • Become a contributor
  • How to become a CTO
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

DOWNLOAD APP

© Copyright Codemotion srl Via Marsala, 29/H, 00185 Roma P.IVA 12392791005 | Privacy policy | Terms and conditions

  • Learning
  • Magazine
  • Community
  • Events
  • Kids
  • How to use our platform
  • About Codemotion Magazine
  • Contact us
  • Become a contributor
  • How to become a CTO
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

DOWNLOAD APP

CONFERENCE CHECK-IN