Security ‘Challenge Questions’ and the social web

Lately I’ve been a little paranoid about posting details about myself on the social web, especially Facebook. In fact I’ve completely gone off it (never been a fan of it from the first). I’m surprised by the amount of personal information people post on the social web.

One of my concerns is related to the ‘Challenge Questions’ provided by major websites such as Gmail, Hotmail for authentication, mostly during account recovery. Take for example the Challenge Question offered by Gmail:

What is the name of your manager at your first job?
What is the name of your best friend from childhood?
What was the name of your first teacher?

Answers to most of the above questions can be garnered by a little digging around your social stream, making it easier for the malicious person to hack your account. Aggregators such as IdentEngine, a Javascript library, can make it even easier to locate your profiles around the social web. In short, the social web “leaks” security information.
Read More

How to Fix PHP Vulnerabilities (So Your Site Won’t Get Hacked)

As a programming language, PHP has many advantages but security has always been a major issue. Partially these security problems are inherent to the language itself because PHP was meant to be an easy and powerful programming language, while security came second. However, when you add bad coding and non-adherence to even the basic security rules, the situation gets out of control.

Fortunately, it is possible to fix PHP vulnerabilities and make PHP applications more secure. Some of the defenses are common for all programming languages, while others are found only in PHP. Here are some of the best defenses you have when you want to fix PHP vulnerabilities and make your site more secure.
Read More

Scanning web pages for malicious scripts

With the recent surge of malicious JavaScript injections on web, it has become necessary to regularly check for malicious code injections on your web sites. I created a small php script that checks a list of urls for malicious Javascript code. This can come handy if you have many client websites under your control.

The PHP script reads two text files – ‘malicious.txt and ‘urls.txt’ : the first containing a list of web pages to be scanned and the other containing malicious script signatures. The script scans the urls for malicious scripts and if any infections are found it saves the result in the ‘infected.txt’ file. The script needs to be run from the command line as you can easily see the progress of the scan if you are scanning a large number of urls.
Read More

Top 25 Most Dangerous Programming Errors

Security has always been an issue in software development; mainly due to ignorance, laziness and a nonchalant attitude of programmers (I’m one of the guilty ones). ‘Security’ is the one section in a project scope that gets consistently ignored by not only the developers but also management. In defense of myself and other programmers I would have to say that writing secure software is hard work, and with all the pressure from management and clients to get the software delivered, its no wonder that programmers turn a blind eye towards security. But that is surely not an excuse to deliver a product full of security vulnerabilities.
Read More

6 Simple principles of secure website design

Simple design usually underlies a successful security mechanism on a web site. Make it more complex than required and the user suffers from a barrage of logins and redirections. Make it too simple and you risk your site being compromised.
The following 6 principles draw on ideas of simplicity and restriction. In the following list the word ‘subject’ can mean program or user and the word ‘object’ can mean a program, file, url.

1. Principle of least privilege:
A subject should be given only those privileges that it needs in order to complete task. The principle of least privilege states that only the minimum access necessary to perform an operation should be granted, and that access should be granted only for the minimum amount of time necessary.

2. Fail-safe defaults:
Unless a subject is given explicit access to an object, it should be denied access to that object. Design your sites so that when it fails, it fails in a secure manner. For example when an ATM fails, it should shut down, and not spew money out its slot.

For example take the following code in PHP:

$access = $IsAccessAllowed($user); 
if ($access == ERROR_ACCESS_DENIED) 
{ 
// Security check failed.
// Inform user that access is denied. 
} 
else 
{ 
// Security check OK. 
}

The code looks fine, but what if the IsAccessAllowed function fails. The default execution path in the above code is to grant access to the user. A better version is show below. Here the default access is set to ‘DENIED’. Only after IsAccessAllowed is successfully executed and it returns a ‘NO_ERROR’ message is the user allowed access.If for any reason the IsAccessAllowed function fails the default action is to deny access.

$access = ERROR_ACCESS_DENIED; 
$access = $IsAccessAllowed($user); 
if ($access == NO_ERROR) 
{ 
// Secure check OK. 
// Perform task. 
} 
else 
{ 
// Security check failed. 
// Inform user that access is denied. 
}

3. Economy of mechanism:
Security mechanisms should be as simple as possible. Security is like a chain; the weakest link breaks it. Simplicity means fewer links and fewer points of vulnerability.

4. Complete mediation:
All access to objects be checked to ensure that they are allowed. Every access to every object must be checked for authority.

5. Open design:
Security of a mechanism should not depend on the secrecy of its design or implementation.

6. Psychological acceptability:
Security mechanisms should not make the resource more difficult top access than if the security mechanisms were not present. The security mechanism should be designed taking the user in mind. For example; If a user on your website has to set a dozen permissions on his profile page or payment preferences, he will surely give it a miss, thus opening a security hole hackers can exploit.

The details of security mechanism implementation can vary for various web languages like PHP or .NET, but keeping the above principle in mind can go a long way in securing you website.

For more detailed and excellent information you can visit here.