Security

Poll: Are you nervous about your applications' security?

The recent actions of Anonymous and LulzSec have caused developer Justin James to take note. Let us know whether you think your apps could withstand a determined attack.

In the last couple of months, groups such as Anonymous and LulzSec have been tearing through the Internet, getting access to a large number of data storage areas that everyone assumed were highly secured. One of the goals of these groups is to raise awareness of the vulnerabilities, and I know that I certainly took note. I think that a lot of application developers and system administrators have gotten very complacent, and that sense of security is not warranted. How well do you think that the applications you write could withstand a determined attack?

J.Ja

Also read: How do you protect yourself from hacktivist groups?

About

Justin James is the Lead Architect for Conigent.

7 comments
hovarda05
hovarda05

thank you rokettube techrep the end

Dethpod
Dethpod

@Charles Bundy >>Therefore it's "hardness" with regards to security is built upon a foundation of sand in front of a vast ocean... Well said. Any forward facing app/site is beat/fuzzed to death. And even then I am skittish. I have been hacked before... a long time ago and it is one of the worst feelings you can get. You feel violated. It is the tantamount of digital rape.

Charles Bundy
Charles Bundy

is indistinguishable from magic. Therefore it's "hardness" with regards to security is built upon a foundation of sand in front of a vast ocean...

h8usernames
h8usernames

As an experienced developer I often find my team will often overlook the most basic steps in securing our solutions, for this reason we run a number of tests to ensure there is a high level of security in our applications especially when a new developer joins our team. But I also understand that to maintain a secure application you need to keep your code base up to date, something I have seen many developers simply do not do or really care about. As recently as yesterday on stackoverflow.com, I was advising of the risks of using a primary key user ID in an avatar image name to create a unique image name. After posting 2 alternative methods to generate a unique image name that does not disclose or that does a very good job in hiding this basic yet powerful information I was asked what the real risks are. I could give 2 examples off the top of my head without thinking using simple cURL methods to hijack accounts and extracting data from the site. Developers forget that even if they have a small web app it can hold valuable information about the user such as full name, date of birth and physical address that in many countries is all that is needed to gain access to a bank account or tax information. Once someone has this information that person can pretty much become you. I have a non-tech minded friend that is so scared of online threats (even though she doesn't know why) that she doesn't provide her full name on any website and is in my opinion "overly cautious" of the information she provides. In saying that it is not a bad approach if you do want to protect yourself as a user. I hear others in the industry complain about lack of public trust because of websites life Facebook that have had massive oversights or security issues in the past, but do we really understand what asking for this trust that means? Also, has it become too common for users to be asked to provide personal and identifiable information to websites? I believe too many websites ask for too much information about their users, like how many apps really need a date of birth? Yes some do need it but even our paid SaaS apps don't ask for this (even in our billing system we don't see it as required) because it is not relevant to our service and as we do not allow under any circumstances users to hold an account we have no debt recovery or need to identify the people in this way. I ask that other developers to look at the information that you are asking for and see if you really need it, if you don't remove it from your systems along with the question and functions that ask for it. If you do need it then fine but maybe think about telling your customers why you need it. On this point, a great practice is to tell your website users why you're asking for that information and basically (no details) how you protect it. This gives them a reason to trust you and the industry provided you're being honest about it and I would hope that most here are. I want to see more trust being earned in the industry, this way we can educate our customers together and create a better and safer internet for all... but it does start with us using best practices, asking for only what we need and setting the example.

Justin James
Justin James

You mentioned something important, that too many apps ask for way too much information. I have an article coming out this week, about writing password reset screens, that talks about just that. It's true. Too many applications want to know far too much information about me, for no good reason. The worst offenders are actually the "security questions" for password reset. Why should, say, a forum site need as much information about me as it takes to get the password for my bank?!?! If that site ever gets hacked, or is run by unscrupulous people, they have the keys to get into some really secure places, and I'm not fond of that. J.Ja

h8usernames
h8usernames

I was going to mention the security question, the reason I didn't (as you have seen today Justin) is my comments and answers sometimes (ok most of the time) get very long, detailed and complex. For password resets we use information we need to do the reset or information already on the account. For 1 app we developed we use an email method that generates a random value then the user is emailed a link - nothing special until you consider we also generate a session ID for the user and bind their IP address to the unique URL (that is in the format of a sub-domain) to try and create some assurance that it is most likely the same user changing the password that requested it. If 1 parameter is wrong we kill the process and require a new password reset request, should this fail 3 times the account is locked, the user is emailed and the account stays this way for 3 hours or until we are contacted. If we get 4 locks in 1 month to an account the account is then locked until we're contacted by the customer and are satisfied that we're dealing with the correct person. With this, we do have a higher than normal rate of abandoned accounts on our free services but our customers generally appreciate the added effort, plus we also have a higher than normal upgrade rate to paid services making it worthwhile as a business. As our business is only now becoming viable we're currently developing an SMS reset method also for paid customers to take advantage of.

Editor's Picks