
Ask HN: I'd like to learn more about programming secure websites - diN0bot
I'd like to learn how to program secure websites. I use Django and have read the Django book (including chapter 20 on security). I'm more interested in SSL-type trust stuff than SQL injection, but I'm certainly not an expert on anything. Any weak link will break the chain, so please recommend whatever books you found helpful.<p>Thanks!
======
kailashbadu
I am from PHP background and here is the lowdown of how I worked my way from
basic PHP security to advanced web application security (language-
independent). I am sure it will help you in making a decision for yourself.
1\. Essential PHP Security by Chris Shiflett: a light read with little over
100 pages. PHP often picks a lot of flak for being insecure. However, in
majority of cases its not because of the flaws in PHP platform itself. It’s
because of the certain design choices PHP made which makes it easier for a
novice developer to mistakenly write insecure code. Given a little care, these
mistakes can be easily avoided. All basic security stuffs are covered like
forms and urls, sql injection, session and cookie security. The concept
covered in this book can easily be applied for other platforms but apparently
you don’t want any of these information because you already are well-versed in
them.

2\. Pro PHP Security by Chris Synder and Michael Southwell: Covers most of
what you are looking for, namely, perils of shared hosting, safe development
practices, Encryption, SSL and SSH, HTTP and HTTPS, Access Control and
Authentication. Of course the book is inclined towards PHP but most of the
concepts are language neutral and you can easily extrapolate these concepts to
another language of your choice.

3\. Foundation of Security by Neil Daswani et al.: The blurb on the first page
speaks for itself _What every programmer needs to know about security with
running examples of web applications and stories of what’s gone wrong in the
past_. Mostly language neutral but sample codes are implementation in Java.
Comprehensive. Recommended.

4\. A bunch of videos at <http://code.google.com/edu/security/index.html>
helped too.

~~~
diN0bot
thanks for the resources. this is great!

------
yan
<http://www.owasp.org> should be the first place you look.

~~~
megamark16
We lived and died by the OWASP recommendations at the bank that I used to work
at. It's certainly a good place to start.

------
pierrefar
Depends what you mean by "secure": do you mean protecting against attacks or
do you mean impenetrable transfer and storage of information?

For protecting against attacks, the absolute rule is: Never trust anything
that the user has provided. This includes form submission, URLs for requests
(i.e. it could be a malformed URL), the HTTP headers, the cookies, etc. They
are all vectors for an attack. The corollary to this is: validate everything.
From here, you can start learning more about the creative ways your app can be
exploited.

For securely transferring and storing information, you'll need to look at
encryption strategies like SSL and hashes (for, e.g., passwords) and the like.

Of course we can only point you in the general direction. This is a very big
topic!

~~~
diN0bot
true. i am at once torn between consuming this large topic and beefing up the
few links in the chain that i am currently working on. i'm looking forward to
getting some of the above mentioned books from the library sometime, yet i
also know i'm on a tight schedule and it's hard enough to sneak engineering
goodness tasks into each iteration (tests get on fine, though).

getting my server hacked into is certainly on my mind as i set up the server
myself only out of necessity and poverty (if not financial then creative and
social). i really want the data to remain private.

i have form submission secured. not only does django escape input into sql,
but i have a pre-save signal that removes html tags. once concern i do have is
that when a form has an error in it, the page is reloaded with the previously
entered form values. i believe django templates always escape variables, but i
should try writing javascript there just to make sure.

django also stores salt + hashes of user passwords, rather than the passwords
themselves. django also puts non-critial information in session cookies. the
real data gets looked up in the view middleware.

------
dryicerx
A lot of suggestions would tell you how to write secure sites, but if you
really want the guts, learn how to break the site.

Go to the library and pick up some network security books, and focus on the
website security sections (sql injections, exploiting the parameters sent to a
website, trying to learn the sites using their error messages to ssl to domain
spoofing). For one, this is actually a lot of fun, but more importantly, now
you'll always be thinking how to exploit the code you write, and doing so will
allow you to realize mistakes very quickly.

------
costan
Good overview of the issues you'll need to deal with: (read the paper, not so
much the class notes)

<http://pdos.csail.mit.edu/6.893/2009/schedule.html>

------
diN0bot
one question that if ind particularly perplexing: what is supposed to be
secured over HTTPS v HHTP? should the entire site be HTTPS? including media?
why do some folks talk about hybrids? is it for performance?

~~~
Ixiaus
HTTPS encrypts the connection between the client and the server, so, login
pages and all backend/control panel pages should be HTTPS.

Reason being, someone between the client and the server can sniff the traffic.
If it is HTTPS it will be encrypted; if not, plain as day. Hence the reason
why login pages usually redirect you over to a HTTPS login page, when you
login you don't want to send your username and password pair to the server in
plaintext!

What's funny is people often still send their email creds to their email
server without being encrypted either...

Your whole site should _not_ use HTTPS unless _all_ of the data or
functionality on that site were sensitive. Pretty simple rule of thumb: public
facing pages use HTTP and login pages + anything behind use HTTPS.

~~~
gchucky
Total noob question, but I'll ask it anyway: is there any coding that has to
be done to do HTTPS, or is it as simple as linking to the same page with https
in the front?

~~~
yan
I also feel that I should point out: Putting forms behind SSL does not absolve
you of secure coding guidelines! SSL does not influence whether or not your
webapp is vulnerable to traditional injection and logic flaw attacks.

~~~
Ixiaus
While that is true, the OP said he was interested in learning more beyond just
SQL injection etc...

Which brings me to your second subject: logic flaw. _That_ is probably the
most common security flaw than anything else. It is been made worse by the
fact that most "web developers" don't actually understand logic nor the full
implications of structured programming.

It is compounded by a lack of understanding system fundamentals too; it's
quite common amongst developers I have met to _not_ know why "0123" comes out
as "83" in any scripting language built atop C (Python and PHP are popular
examples). (Hint for those that don't know: C interprets integer literals with
a leading zero as an _Octal_ number).

~~~
diN0bot
haha. this is so true. i have no doubts the biggest problems we'll face with
early product iterations are our own bugs rather than malicious third parties
:-)

we'll do the best we can to get both fronts up to snuff before the general
public gets a stab at us.

