Web security: basic principles


Introduction

With ever more sensitive information being transferred over the Internet, it is important to establish well-understood security mechanisms that will ensure online business activities can be carried out with confidence. In many a well-publicised example, even large corporations have suffered incidents in which someone has gained unauthorised access to customer financial details or other personal or sensitive information. In the world of financial trading, clients of brokers or exchanges want to be sure the records of the trades they execute won’t be changed maliciously or indeed lost or made inaccessible. All businesses should therefore ensure that protecting their valuable data is a top operational priority.

Regardless of the nature of the business or organisation that owns it, if a website has security flaws, it runs some risk of being exploited by a hacker. Malicious hackers use their programming knowledge to take advantage over weaknesses in websites on behalf of a hostile actor, or even just for personal gain, amusement or satisfaction. They might try to steal sensitive information, alter important data, or perform actions on a hacked account. Hackers may also try to overload a system (DoS attack) to prevent legitimate users from having access.

In this introductory post, we’re going to cover the basics of web security, and some of the tools and best practices we use at Sinara to mitigate these potential issues in the software we build for our clients.

“CIA triad”

To start with, it’s useful to refer to the “CIA triad” at the core of software security:

C – Confidentiality: users should not be able to see data they are not authorised to see, e.g. when a user logs into a trading account, they should only be able to see their trades, not the trades of other users.

I – Integrity: data should be protected against manipulation e.g. when a user places an order to buy 10 shares in Company A, nobody should be able to alter the request to an order to sell 5 shares of Company B.

A – Availability: data should be available when requested, i.e. when a user tries to log onto their account, they should be able to see the information related to the account instead of receiving an error code or having to wait an excessive amount of time.

Maintaining these three principles when designing and building software systems, from requirements through to deployment, goes a long way towards preventing malicious activity and ensuring that a system can be relied on. At Sinara, we ensure that our developers understand these principles and receive regular training on software security to deal with evolving threats.

OWASP

OWASP is the go-to resource for information on current security threats and how to mitigate against them and ensure the “CIA triad” is upheld. OWASP (Open Web Application Security Project) is a non-profit foundation that aims to equip developers and technology professionals with information and tools to improve software security. OWASP also provides a list of the currently known most dangerous security flaws called the OWASP Top Ten ,which is updated every few years.

At Sinara, the OWASP Top Ten are used regularly by project teams to identify key security risks and what measures need to be taken to ensure our software is robust.

Software engineering standards

As well as the known security exploits defined by OWASP and other sources, there may be some unknown ones. How can one defend against the unknown? The best way to defend against an unexpected attack is to make sure that you have applied the basic principles of software engineering correctly throughout the system, regardless of underlying technology. This is something we have long championed at Sinara. Using best practices and good design patterns in areas that don’t seem to have much to do with security actually help make the software more secure.

Adherence to good programming practices, elimination of bugs, and compliance with existing security or programming standards such as PCIDSS (Payment Card Industry Data Security Standard – https://www.pcisecuritystandards.org/) or the ISO[HA6]  C# Specification (International Organisation for Standardisation – https://www.iso.org/home.html) all minimise the risk of introducing weaknesses into software.

Integration testing

Some security flaws are the result of a single piece of poor code that allows an exploit while others arise from the integration and setup of the system. Security issues born out of these intricacies of system integration or details of deployment make it important to test software systems as a whole, rather than at individual points of concern. For example, a system with a database situated on a server with limited memory could compromise the integrity principle. When the server runs out of memory, all subsequent user submitted data could be lost if not handled correctly.

Penetration testing

Penetration testing (attempting to exploit software manually or with the use of a dedicated program) is also crucial to discover any security issues that have not yet been dealt with, particularly those that are the result of deployment or integration details. At Sinara, we use tools such as Veracode to make sure that there are no vulnerabilities in our software deployments.

Conclusion

In order to take software production from start to finish and end up with a secure system, it is necessary to consider security throughout the development process and not just as an afterthought. Referencing the OWASP Top Ten during the design and development phases of production is essential, as well maintaining high standards in the codebase.

So while web security can be a big and often daunting topic for newcomers, it is very manageable when approached by focusing on the main principles and resources: CIA, good general programming practices and OWASP.

Share