Langara Computer Technology Meetup: Simple Principle for Website Security

The Langara Computer Science department has about 6-7 meetups a year on various technology topics. I had intended to attend one earlier, but this is the first one I got to.

The presentation is to focus on practical website security principles.

Presenter

  • Lauren Wood

Risk Management

Website security about risk management.

The level of security talking about today is for relatively simple websites, keeping them safe, not about data breaches at the level of a large corporation.

HTTP & HTTPS

Basic HTTP authentication protects the resources but because the password is sent in plain text, then it is easily intercepted and used.

HTTP digest authentication encrypts the password using cryptographic hash, which is fairly impossible to break, but very difficult to implement.

Password authentication is weak, because it’s only one factor, easily forgotten, but easily implemented and suitable for resources that don’t need a lot of protection.

HTTPS/TSL/SSL  uses connection-based (aka channel, transport), which is relatively simple, but only works in transit (not at either end). The certificate provides the digital signature, but security only as good as the certification authority.

Message-based security is where you encrypt the data itself. Commonly used for secure emails, but expensive to use.

Common Security Attacks

OWASP does a top ten list every year. Will look at the top 3.

SQL Injection Attacks – adds unwanted data to the database. Commonly seen allowing insecure queries. Don’t write dynamic queries and sanitize user input.

Only provide users with the level of access that they need. WordPress Tip: delete the default admin account id=1, and create a new user with different username that has admin access.

XSS Attacks – malicious scripts masks as trusted source. Commonly seen in misuse of HTML element e.g. allowing JavaScript file being loaded.

Use multi-layer prevention. WordPress Tip: Basic WordPress Security & Data Validation

CSRF (Cross-site request forgery) Attacks – victim runs a script while logged in.

Prevent by adding random token to forms in a hidden field. WordPress Tip: use wp_nonce()

Protecting Yourself

Use prevention plugins (e.g. NoScript) on your main browser, and use a different browser for random surfing.

Leave a Comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s