Tip #2 Web development tips and tricks

Tip #2 in this series touches on the topic of security.  With the latest heartbleed vulnerability within OpenSSL hitting the headlines security it currently at the forefront.  I think it is fair to say that security is not a priority for most web developers: for some it is not even on the radar.  The problem is, that it is way, way too easy, to roll-out a site for a new project, get paid and move on. But, what happens to the site a week, month or a year down the line?  Worse case scenario is the site gets hacked.  Why? Because, it is not being kept up-to-date with the latest security patches and your web developer has moved on.

The simple solution is to keep you platform up-to-date.  Whether it Magento, Symfony, WordPress or Joomla.  It needs to be kept current.  If you were offered a way to improve the security of your house would you take it?  Of course you would.  The same should apply to your website.  Security vulnerabilities are discovered all the time. We should give the framework vendors credit here.  They issue security patches with a high level of speed and efficiency.  The problem you face is getting that security patch installed on your website.  I’d suggest striking a deal with your web designer/agency so they are responsible.  Of course they would expected some recompense for this, but, it shouldn’t be a lot.  Any web designer/agency who will not agree to this are obviously not a good choice to begin with.  Security first!

Advertisements

Security: the Good, the Bad and the Ugly

In the physical world everyone applies basic security principles such as closing and locking doors when leaving their home.  We are, in the most, security conscious and the majority of us wouldn’t knock on the door of a con man and start a conversation.  It’s also true we have a good understanding of what  makes our world safe, such as fitting a car alarm, or, carrying a personal safety alarm.  In the digital world we seem to loose these basic instincts and brazenly click link after link, trusting that we’ll end up in a safe place.  Unfortunately, many innocent looking websites are acting for the forces of evil and it is not always obvious this is the case. Continue reading “Security: the Good, the Bad and the Ugly”

Should you fear QR Codes?

QR Code
Would you scan it?

Quick Response (QR) Codes allow you to scan a square image which resembles a bar-code to open web pages on a compatible device.  This means retailers can direct you to their websites without you having to type a long URL.  The trend to include QR codes on advertisements within magazines is pretty standard. Read more

Tips for securing SSH

SSH is the preferred method for providing remote shell services such as command execution.   Designed as a replacement for the old-school insecure Telnet protocol SSH provides an encrypted secure connection between client and server.  Although, far more secure than its for-farther, there are some extra steps you can take to increase out-of-the-box setting to increase the level of security.

The following assumes a fresh installation of CentOS 6.  By default the SSH service is not enabled.  To enabled the service you need to start the service.  To do this run the following command as the root user within a terminal:

service sshd start

To configure the system to start the SSH service at start-up you can run the following:

chkconfig sshd on

The service will now accept connections from clients. The configuration of the service is controlled by the contents of a configuration file called ‘sshd_config’ located within the folder ‘/etc/sshd/’. Open this file using the editor of your choice. Read more

Software Security: Education’s missing module

Security the missing module in education

I’m shortly due to reach my fifteenth year as a programmer within the software industry. During this time I have witnessed a significant increase in the number of viruses, malicious software and security holes found within any given piece of software. To protect us, software vendors issue security patches issued within software updates on a regular basis and hope we all apply these to avoid the pitfalls. This ship first, fix later approach has always seemed odd to me. It’s akin to locking the door of your house after the burglar has already visited, in the hope all of your neighbours will follow suite and remember to lock their houses too!

The computer security industry can be split into three sections: the White hats, Grey hats and Black hats. The White hats are our guardian angles, who spend their time finding and fixing security problems. The opposite of this is the ‘evil’ Black hats who attempt to expose and maliciously exploit security vulnerabilities in the goal taking our data or controlling our computers without our consent. And, in-between these two are the Grey hats, who like to prove they can hack; but without any real malicious intent. The individuals within each camp range from IT professional to passionate teenagers seeking a thrill. Although quite different they share a common tool-set. All of these tools are easy to access and complemented by a huge collection of tutorials. These include standalone utilities such as the port scanner ‘nmap’ to entire operating systems built for the sole purpose of security scanning/hacking, such as ‘Back Track 5’. Another similarity shared by these individuals is they share a common target. Your Software!

Flaws in software more often than not reveal security vulnerabilities. These vulnerabilities can lead to leaked data, or, even the bad guys having control of your computer.   This leads me onto the main point and a question: do software programmers/developers consider security when applying their craft? In my experience the answer in, ‘No!’. The fault of which does not solely lie with the programmer.  I see no evidence from the Schools, Collages and Universities that the subject is covered sufficiently by the relevant courses.  Take for example, a web development course; are the students being taught about SQL injection, or, the importance of software updates. More often than not I see web developers creating beautiful sites in Joomla or WordPress, or, any other CMS, and at the end the site simply gets hosted and left for the client to manage. I ask the question: whose’s going to update the core CMS, or, the plugins used after a security vulnerability has been found. Not the web developer, as they have been paid and moved on! This is a typical example of how the industry is disjointed. And, I’m not picking out web developers: further examples could easily be given involving Java/C/Ruby developers, or, companies that deliver bespoke systems.

The problem is both an educational one in the academic sense and a re-education of users and clients so they appreciate and demand security guarantees. Imagine if you are faced with these two quotes, the first, “I can provide you with a website for $400”. The other said, “I can provide you with a website for $400, plus $50 per year to monitor and maintain security patches”. What option would you pick? I fear at the minute most would choose the first option; thus, the need for re-education, re-education, re-education.

So how would one go about fixing this? I’d love to see security knowledge being taught  alongside every web development and software development course. I’d also like to see a web development/programming governing body, ensuring our work is up to scratch. This governing body would be akin to the building trade’s regulators; ensuring and enforcing we deliver consistent and quality products to our customers. Alongside this we should expect our work to be appreciated as a craft and educate future clients that our products need maintenance which will incur maintenance costs.