It seems like every couple of weeks, there’s news that another major site has been compromised. And yet, often when I read the details of how the bad guys got in, it seems like the breach should have been easily avoided. So here are a few of the obvious steps that web application developers should consider.
SQL Injection. This one is as old as the hills. Most database implementations allow SQL commands to be embedded within each other. Bad guys take advantage of this by embedding a command within a field on a form, a command like return all the passwords or credit card numbers. Some programming languages/environments automatically check for SQL injection. If yours doesn’t, add your own to your application layer.
Password Protection. Passwords are special. Design your password features and your database to make it harder for them to be stolen. From a feature perspective, it’s more secure to allow passwords to be reset than to allow a user to retrieve his or her password. At the database level, use a dedicated table or even a whole separate database instance for just the passwords, and with your database administrator design how to lock it down tight. Don’t store the passwords in cleartext. Encrypt or encipher them with the strongest algorithm and keys you can afford (computationally). In fact, my preference is for one way “encryption,” meaning passwords can’t be decrypted. Make your users use strong passwords.
Credit Card Numbers. See above – credit card numbers should not be stored in cleartext. Encrypt them. In addition, never show the entire credit card number back to the user in case his or her account has been compromised or someone is peeking over his or her shoulder.
Architecture. Before you even start coding, discuss your architecture with the network administrator. You’ve likely heard of 3-tier architectures, or N-tier architectures. One of the reasons a 3-tier architecture is popular is that it neatly accommodates the role of a modern firewall, with it’s DMZ and private zone. It can be hard to change the architecture later, so understand how to make it possible for your network administrator to deploy your application in a secure data center (virtual or otherwise).
Application Access. Don’t be lazy and just assume your application will have superuser access. Setup a user for the application to run as. Setup a database login that the application will use for the database. Neither should be superuser. Might I even suggest grouping your applications by the kind of access they require, and defining different logins for each application? Yes, it will take more time – you’ll have to define groups for all the other users that need to access the same data.
Encrypt Connections. Use HTTPS instead of HTTP. Use Secure Socket Layer for non-HTTP connections. This applies not just for browser to web server connections, but server to server connections in your data center.
Stack Overruns. This isn’t as relevant nowadays, but if you use one of the older compiler languages, arrays are vulnerable to a hack by overrunning the stack. Check and/or truncate the length of every user input against the array you store it in. Or use heap memory instead of stack memory.
Well, those are some of the basic measures to take. Thought of something else I overlooked? I’d love to hear it.
Security is always balanced against implementation effort and ease of use. And of course, there are always competing priorities. But think of the impact if your site makes one of those headlines. Customers won’t trust you. Heck, business partners won’t trust you. Application security doesn’t increase revenues, but if your site is compromised, that sure will.