10 Security Tips for Developers
The 10 security tips bellow will help you ensure the minimum security for your website:
1-Sites used at public computers
After users log out, encourage them to close the browser window.To prevent the back button from reaching private pages after the use has logged out of your site (but not closed the window), use cache-control. This will piss off your users, because it prevents the browser from going Back quickly and makes some browsers forget form information upon going Back. Note that the titles of pages in session history will still be visible in the Back button drop-down.
For sites that are frequently used at public computers, consider tying the autocomplete attribute to the checkbox in your login form that controls cookie lifetime. (This checkbox is often labeled “Remember me on this computer” or “Don’t ask me for my password for 2 weeks”). For example, a script might set the autocomplete attribute to “off” if the password field has received a keypress and the checkbox is unchecked. That way, users at (misconfigured) public computers are unlikely to accidentally save their passwords on the public computer, while home users will be able to use password manager.
2-Add delays to your code
Many attacks rely on using a computer to relentlessly try and try again. It may take thousands, millions, trillions of iterations, but the computer doesn’t care. Some people screenscrape databases by sending millions of queries pretending to be a user. Others try trillions of potential passwords until just the right one is found.
The trick is to add progressively more delay to confound these bots. In many cases, you don’t want your software to be very fast or very efficient. You want it to be fast enough to support the right humans but much too slow for the attacking bots to get much accomplished.
Some log-in programs double the delay with each incorrect password. Some databases limit the number of queries coming from each IP address. Some systems deliberately send an email request to a human to slow you down. It’s all in the interest of security because humans won’t notice the extra second or two, but a bot will be bored to the point of being ineffective.
3-Test inputs rigorously
Attackers need a path into your machines, and the easiest routes are through the doors your code opens. If your software takes input from the Internet, someone will try to sneak something past you.The classic example is the buffer overflow created by lazy C programmers who accept any string of characters until that string hits the number zero, the official C symbol for the last character. Attackers discovered long ago that they could send arbitrarily long packets of data and write over the programming stack and the memory as long as they never sent that terminating zero. If they were clever with what they wrote, they could assume control and rewrite anything.
Another classic attack on open doors is SQL injection. That Web form may just ask for your ZIP code, then dutifully paste these few characters into an SQL query, but clever hackers started adding extra characters that expanded the scope to be more than a simple search. When the software blithely grabbed all the input, it ended up feeding the SQL directly to the database.
The solution is to test the size and structure of the incoming data and never, ever trust the person on the other end of the Internet.Test your code , not the database
4-Build security walls
The need to add security often can’t compete with the demand for ease-of-use. People hate to keep logging into different parts of the system, but it can be dangerous to link all of the systems and powers together into one portal. One weak link compromises everything.
There is no easy way to decide just how easy it should be for a user to navigate the system and accomplish what they want with just one click. The easier you make it for the legitimate user, the easier you make it for an attacker who slips in.
It can make sense to segregate the most sensitive operations into a separate system and require people to log in again when they want to use it. A bank might give a portal the ability to check status and deposit money, but it might require substantially more authentication before money is withdrawn.
5-Avoid trusting passwords more than necessary and add hashing ones
Everyone knows the problem with passwords, but no one knows a better solution. People forget their passwords, choose ones that are too simple, then reuse them again and again. Yet no other solutions are as flexible or as simple.Some companies are already using N-factor authentication by tossing several different hurdles in the way. They might send a text message with a random number to your cellphone and ask you to type it in along with your password.
It’s a nice mechanism unless you forget your cellphone, burn down the batteries, or find yourself inside a building where the text messages can’t reach.It’s always possible to add even more security with special hardware that locks up cryptographic keys. They are expensive, though, and even easier to lose than a cellphone.Other sites keep track of the IP addresses you use to log into their service. If you approach the system from unknown address, they send you a polite email just in case.None of these choices are perfect, but they are better than just relying on a password. The important step is recognizing the limitations of a string of letters even if some have the right mixture of uppercase and lowercase letters, numbers, and punctuation marks.
6-Watch that Crypto Code
The most common mistake is homegrown encryption code, which is typically quite fragile and easy to break. Never create your own encryption code; you won’t get it right. Don’t think that just because you’ve created your own cryptographic algorithm people won’t figure it out. Attackers have access to debuggers, and they have both the time and the knowledge to determine
exactly how these systems work—and often break them in a matter of hours. Rather, you should use the CryptoAPI for Win32® applications, and the System.Security.Cryptography namespace has a wealth of well-written and well-tested cryptographic algorithms.
You can enroll in a local university or try one of the new free courses online. These are different ways of learning the information that often hasn’t been distilled and put in book form.
The professors are usually following the latest publications in academic conferences, and they likely include copious footnotes and pointers. Even if you know much of the information already, auditing a course helps you keep current with the latest discoveries and publications.
8-Store what you need, and not one bit more
Programmers often think like obsessive hoarders, storing away copies of anything that stands the least chance of someday being useful. This instinct may help debug software, but it leaves a trail of data for anyone to find. Is every column and table in the database absolutely necessary?
When in doubt, make the forms shorter and the database tables smaller. Avoid the temptation to be a data pack rat. Simplify everything. The data thieves will hate you, but everyone else will enjoy spending less time filling out forms.
SSL is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data.
10-Encrypt sensitive user data
What happens if you absolutely must store sensitive data in your database? If so, never store anything unencrypted. Ignoring this advice will likely land your company on the front page of the news–but not for good reasons. Do you really want to be the company that loses your customer’s sensitive data because it was all stored in plain text in your database?