Difference between revisions of "Security course 30 April 2018"
From Jon's Wiki
| Line 36: | Line 36: | ||
# failed attempts to access files, functions, services. (Was it temporarily down, or was it attacked?) | # failed attempts to access files, functions, services. (Was it temporarily down, or was it attacked?) | ||
# Security-related alerts and failures. | # Security-related alerts and failures. | ||
| + | |||
| + | DON'T IMPLEMENT YOUR OWN CRYPTO unless you are a professional cryptologist implementing a software cryptography library. | ||
| + | |||
| + | == Input handling == | ||
| + | |||
| + | Never trust anything passed in, including the URL and its parameters, HTML form data, cookie values, request headers, without validating/sanitising them. | ||
| + | |||
| + | == Output handling == | ||
| + | |||
| + | # Use appropriate URL encoding (/ = %2f) and HTML encoding (& = &) | ||
| + | # Use HTTPS Strict Transport Security, Content Security Policy, and HTML frame options. | ||
| + | |||
| + | == OWASP == | ||
| + | |||
| + | Open Web Application Security Project. Freely available information, cheat sheets and guidelines, including: | ||
| + | |||
| + | * The [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten]. | ||
| + | * Secure Coding Quick Reference Guide | ||
| + | * Zed Attack Proxy (ZAP) | ||
Revision as of 23:03, 29 April 2018
- ACL
- Access Control List.
- Access Control
- who can access which parts of a system, by assigning permissions to roles, users to groups, and roles to groups.
- Authentication
- confirmation of identity.
- Authorisation
- access control.
- NZISS
- New Zealand Internet Security Standard
Restrict database access to only the tables required, use a minimum of stored procedures to hide sensitive tables entirely (e.g. an AUTHENTICATE() stored procedure, and no access to the USER table.
CREATE FUNCTION AUTHENTICATE(u TEXT, p TEXT) RETURNS TABLE (username TEXT, property1, TEXT, ...) AS $$ BEGIN SELECT username, property1, ... FROM users WHERE username = u, password = CRYPT(p); END; $$ LANGUAGE plpgsql;
- Design software to use the lowest privilege level required to complete its tasks.
- Deny access by default.
- Check return values of all system calls.
- Validate all inputs - lengths, field types, ranges, controlled vocabularies.
Authentication
- User IDs - users must be unique. No shared 'office admin' accounts with naff passwords.
- Don't use shit passwords. Enforce minimum password complexity, use multi-factor auth, biometrics, etc.
- Encrypt user authentication data over the network (including database connections).
- Don't store passwords in clear text.
- Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts.
- Display when a user last logged in.
Auditing
Log at least these events. We need who did what, where (source IP, device ID, etc.), and when:
- User logins.
- Privileged operations e.g. create new user, role/permissions changes, etc.
- failed attempts to elevate privileges.
- failed attempts to access files, functions, services. (Was it temporarily down, or was it attacked?)
- Security-related alerts and failures.
DON'T IMPLEMENT YOUR OWN CRYPTO unless you are a professional cryptologist implementing a software cryptography library.
Input handling
Never trust anything passed in, including the URL and its parameters, HTML form data, cookie values, request headers, without validating/sanitising them.
Output handling
- Use appropriate URL encoding (/ = %2f) and HTML encoding (& = &)
- Use HTTPS Strict Transport Security, Content Security Policy, and HTML frame options.
OWASP
Open Web Application Security Project. Freely available information, cheat sheets and guidelines, including:
- The OWASP Top Ten.
- Secure Coding Quick Reference Guide
- Zed Attack Proxy (ZAP)