
What should every programmer know about security? - napolux
http://stackoverflow.com/questions/2794016/what-should-every-programmer-know-about-security
======
kirinan
Since this is my specialty, I figured I'd put my 2cents in on hacker news, and
repost it on stack overflow later. So to begin some tools that you should use
for testing your code:

Burp tool suite (Pen Testing) BackTrack Linux Distro (has all kinds of tools,
wont go into them, but download and it can be used to really cause havoc on
your apps)

These tools allow you point programs towards your application and see if they
are vulnerable to any kind of attacks, including XSS and SQL Injection (among
a lot of others)

Engineers should also read the OWASP site, which has the OWASP top ten. It
also has other tips and tricks about how to secure against different attacks.
If you ever have a security question, this site has a lot of secure examples
for different code.

As the top comment on stack overflow says, never trust your users. That means
never allow your users to do things that you don't want them to. If you allow
them to deviate from the structure of your program in any sense, someone will
find a way to abuse the privilege. This is the key to good security.

Some Tips I'll give you: 1 ) Validate all input 2 ) Control Access to
everything 3 ) Use secure application keys to ensure that people can spoof
requests from different browsers 4 ) Use Multi Factor Authentication whenever
its possible 5 ) Never ever pass any values from the server that should leave
to the client. Even if it is hashed, I can break it using tools. Valuable data
= Server side Public Data = Client safe

If you have any other questions, feel free to post them and I'll try my best
to answer them or find you an answer.

~~~
kibwen
Information security is a topic that I'm very interested in, but it's such a
large area that I don't know even where to start. In this field especially,
"learning by doing" seems an extraordinarily bad idea. You say this is your
speciality; how did you acquire it? Are there any online courses, good books,
or useful (i.e. non-bullshit) certifications that you can recommend?

~~~
elorant
Here are a couple of great books about web/software security:

[http://www.amazon.com/The-Web-Application-Hackers-
Handbook/d...](http://www.amazon.com/The-Web-Application-Hackers-
Handbook/dp/1118026470/ref=sr_1_1?ie=UTF8&qid=1336415263&sr=8-1)

[http://www.amazon.com/Deadly-Sins-Software-Security-One-
off/...](http://www.amazon.com/Deadly-Sins-Software-Security-One-
off/dp/B001PO67JI/ref=cm_cr_pr_product_top)

~~~
tptacek
I love WAHH.

I can't stand "Deadly Sins".

I'd replace it with _The Tangled Web_, Zalewski's new web security book; WAHH
and _Tangled_ is a formidable amount of knowledge to keep on tap.

~~~
jbp
If don't want/unable to get, Tangled Web, similar useful information by same
author at "Browser Security Handbook"
<http://code.google.com/p/browsersec/wiki/Main>

------
tptacek
I am wary of software security advice that leads with "don't trust user
input", or revolves around "validate user input". That principle has been the
core of software security strategy for going on 20 years, and has bought us
very little. In the real world, we have to start by acknowledging that the
verb "trust" is situational, and that in some circumstances virtually all user
input is "trusted" somehow.

You could phrase this less tactfully as "Validate user input? No shit? Now
what?"

Here's some software security advice I'd like to offer, as a software security
practitioner to the startup stars and the Dr. Drew Pinsky of HN (ducks):

* Plan to update your platform software at inconvenient times. Dry-run your update process, so you know it will work on no notice. I personally believe you should also avoid your OS's packaged versions of things like Apache and nginx; having a known-working source build gives you control of when and how you'll apply patches; it's something you should be able to do easily.

* Put someone on your team in charge of tracking your dependencies (C libraries, Ruby gems, Python easy_install thingies) and have a process by which you periodically check to make sure you're capturing upstream security fixes. You should run your service aware of the fact that _major_ vulnerabilities in third-party library code are often fixed without fanfare or advisories; when maintainers don't know exactly who's affected how, the whole announcement might happen in a git commit.

* Use TLS to encrypt data in motion and use GPG to encrypt data at rest, and don't do any other kind of crypto. GPG blobs are large and expensive looking, but getting custom crypto right is also very expensive.

* Stay on your platform's "golden path" for web security issues. Rails developers should default-whitelist ActiveRecord models, enable CSRF protection, and avoid "html_safe-ing" strings so that the maximum amount of code inherits default protections against mass assignment, XSS, and CSRF. Anything you customize will probably bite you in the ass. Keep your code boring.

* Triple check any piece of code that "shells out" to command line tools. By "triple check": have a process by which three signoffs are required to merge any such code into the deployment branch.

* Be extraordinarily wary of library code for web apps that includes "native" C/C++ code. Very popular C library code for modern web platforms has been found susceptible to basic memory corruption issues, because the kinds of people that look for memory corruption bugs don't usually think to troll Github for Ruby, Python, and PHP code with native backend code; terrible bugs can thus stay latent for years in code you can point a URL to and read.

* People will hate me for saying this but I'm here to offer honest advice: prefer almost any modern language to PHP or Perl. I don't know what to tell you other than that PHP and Perl apps fare worse on security assessments than everything else.

* I have more than once recommended that people who are very _very_ concerned about platform security (ie, about the likelihood that there are memory corruption bugs in their language stack) use JVM languages.

* Do your admin stuff out-of-band. Write a separate admin app (bonus: the admin app can look shitty, and so is less expensive to maintain) that requires a VPN connection to access. Avoid special-privilege accounts in your normal apps. From years and years of experience working with startups: this is something you will mess up on.

* Triple-check code that handles direct file uploads and downloads. The filesystem introduces a new namespace, so upload/download code needs to juggle different privilege and authorization domains to handle it. We see fewer problems at companies that dump blobs with opaque names into S3 than we do with apps that have a file repository with named files.

* HAVE A SECURITY PAGE FOR YOUR APP. Have that page very cordially invite people to submit security flaws to an email address at your site; provide a PGP key for it. If I was maintaining a commercial app, I'd put a phone number on that page too. If you don't have this page, you should know that you are tacitly inviting people to report security flaws to Twitter.

~~~
bgilroy26
>People will hate me for saying this...

Here comes the first pitchfork-bearer! Are there ready examples of what makes
the usage of Perl a security liability?

By grouping PHP and Perl together, it seems like the security issue you're
highlighting is websites made by inexperienced programmers. Perl is much worse
than PHP in this regard owing to the fact that Perl's history of being used by
people building their first website goes back further than PHP's does.

The last time that I recall Perl being in the news for security was in the
first quarter of this year when they were patching up the DDoS vulnerability
in Ruby and Python [1] whereas Perl and CRuby had addressed the vulnerability
in question in 2004.

I would argue that at least since 2007 or 2008, that the Perl programming
demographics have shifted significantly and that most restauranteurs and
florists who are trying their hand at making a page for their SMB are using
PHP. At this point I would venture that the fat part of the bell curve of the
Perl web programming population would be systems administrators who venture
outside the bounds of their automation scripting domain.

Given the stereotypical sysadmin, I would posit that they might tend to spend
extra time and energy on security (in building some script-y spaghetti
monstrosity).

1\. [http://arstechnica.com/business/news/2011/12/huge-
portions-o...](http://arstechnica.com/business/news/2011/12/huge-portions-of-
web-vulnerable-to-hashing-denial-of-service-attack.ars)

~~~
daeken
> Are there ready examples of what makes the usage of Perl a security
> liability?

The `open` function used on untrusted input allows arbitrary code execution
(I've gotten privilege execution via setuid perl scripts many times this way,
as well as getting a shell on the box via web apps allowing this).

While there are many other common things I saw in real world apps, e.g. perl
scripts using backticks for command execution and allowing me to run anything
I wanted, the `open` one is by _far_ the worst. It's insanely pervasive and
incredibly easy to do.

~~~
chromatic
_The `open` function used on untrusted input allows arbitrary code
execution..._

... only if you use the insecure open form. The secure open form has been
available and recommended since the release of Perl 5.6.0 in March 2000--
twelve years ago.

People who write insecure code, when the language makes it just as easy to
write secure code, are to blame for insecure code.

~~~
ArbitraryLimits
> People who write insecure code, when the language makes it just as easy to
> write secure code, are to blame for insecure code

We're not discussing who's to blame, we're discussing whether there's anything
to assign blame for.

~~~
chromatic
Can you name a practical language in which it's not possible, by default, to
perform an unsafe operation with untrusted user input?

I can easily use Haskell's type system to disallow the use of UnsafeUserInput
in my database abstraction layer, but that requires me to use my types
pervasively and correctly.

~~~
SamReidHughes
The question is not whether it is POSSIBLE.

------
rollypolly
I would add this to the suggested reading list:

<https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines>

~~~
ecesena
I've found this list really valuable.

I believe that there are two main security objectives while designing a new
system: one is to protect the system itself against attackers, another one is
trying to limit damage (especially data exposure) in case an attack actually
happens.

Nowadays I think the first one is a must... from this point of view I wouldn't
say it's important to check user input... it's a must! (while building a
system, I don't usually think how can I check user input, rather how can I
assure that my system will _always_ check user input).

But since we can fail, the second objective is really important too and many
design choices should really be done with security coming before
functionality.

A simple example is password storage. The guidelines are good in pointing to
bcrypt (another fine solution is pkcs5), but often just a hash function is
used (sometimes even md5 that we can no longer consider a robust hash) or the
salt is replaced with something which is not random (e.g. timestamp). These
bad design choices could lead to easier password recovery.

Another aspect that I try to enforce in my neighborhood is protecting
sensitive user data at least with user password. Of course this requires the
user to enter her password every time the data must be accessed, but often
this is already the case (think to a payment, wouldn't you ask the user for
her password before doing it? So why her payment data shouldn't be protected?)

------
FuzzyDunlop
I think it'd be interesting to highlight some vaguely security-related
measures that might make it less simple for attackers to _shut down_ your site
just by using it normally. I'm not so sure it's relevant to the SO question,
mind, as it's more in line with optimisation than anything.

This might include:

* Using a caching layer to store and re-use the results of complex, infrequently changing queries, instead of querying the database on every request.

* Using a message queue to handle the processing of certain things in the background. If you have an upload form that then manipulates or processes the file in some non-trivial manner, add it to the queue. The queue can drop messages or jobs if it gets too big.

I only say this having developed some projects where holding the refresh key
down for a few seconds on pages with lots of queries (along with the hundreds
Drupal makes anyway) could crash MySQL. As could using a separate form that
sent emails and processed images on-the-fly.

Best not to present attackers prime opportunities to DOS your site.

~~~
napolux
Interesting! :)

------
rudhir-secpanel
[http://www.behind-the-enemy-lines.com/2012/04/google-
attack-...](http://www.behind-the-enemy-lines.com/2012/04/google-attack-how-i-
self-attacked.html)

Interesting post which showed how badly configured linkages between private
google docs and S3 caused an accidental DoS.

