The Langara Computer Science department has about 6-7 meetups a year on various technology topics. I had intended to attend one earlier, but this is the first one I got to.
The presentation is to focus on practical website security principles.
Presenter
- Lauren Wood
Risk Management
Website security about risk management.
The level of security talking about today is for relatively simple websites, keeping them safe, not about data breaches at the level of a large corporation.
HTTP & HTTPS
Basic HTTP authentication protects the resources but because the password is sent in plain text, then it is easily intercepted and used.
HTTP digest authentication encrypts the password using cryptographic hash, which is fairly impossible to break, but very difficult to implement.
Password authentication is weak, because it’s only one factor, easily forgotten, but easily implemented and suitable for resources that don’t need a lot of protection.
HTTPS/TSL/SSL uses connection-based (aka channel, transport), which is relatively simple, but only works in transit (not at either end). The certificate provides the digital signature, but security only as good as the certification authority.
Message-based security is where you encrypt the data itself. Commonly used for secure emails, but expensive to use.
Common Security Attacks
OWASP does a top ten list every year. Will look at the top 3.
SQL Injection Attacks – adds unwanted data to the database. Commonly seen allowing insecure queries. Don’t write dynamic queries and sanitize user input.
Only provide users with the level of access that they need. WordPress Tip: delete the default admin account id=1, and create a new user with different username that has admin access.
XSS Attacks – malicious scripts masks as trusted source. Commonly seen in misuse of HTML element e.g. allowing JavaScript file being loaded.
Use multi-layer prevention. WordPress Tip: Basic WordPress Security & Data Validation
CSRF (Cross-site request forgery) Attacks – victim runs a script while logged in.
Prevent by adding random token to forms in a hidden field. WordPress Tip: use wp_nonce()
Protecting Yourself
Use prevention plugins (e.g. NoScript) on your main browser, and use a different browser for random surfing.