Downloaded 12 times
Uploaded bySecure Code Warrior
Secure Code Warrior - Secure by default
The document discusses the importance of implementing secure by default application security practices to prevent vulnerabilities and reduce the attack surface. It emphasizes designing applications with security in mind from the outset, implementing strong password policies, and integrating security throughout the development lifecycle. Key concepts include the need for strong input controls and the principle of least privilege for components to operate with minimal permissions.
More Related Content
Similar to Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
- 1. Secure by Default ApplicationSecurity Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. What’s the concept about? Defaultsettings are set to a permissive state, thereby reducing the security of users, applications, and services. What could happen? A default insecure configuration will leave the system in a more vulnerable state and will increase the attack surface for hackers. How to implement it? Design your application with security in mind from the start. Set all security settings to their safest setting by default.
- 3. Secure by Default Understandingthe concept An application uses a strong password policy setting out of the box: user are required to use long and complex passwords. The administrator doesn’t need to worry about implementing a password policy, since it’s already secure by default. Because the passwords are long and complex, the attacker will take a long time before finding one making it almost impossible. An attacker attempts to find passwords using password lists and brute force attacks. Secure configuration: Strong password policy 123456 password dragon … passwords.txt User Password John SFR5-JUHG6_fd123! admin HYF87!(2O9jh!9 Bart MyF@vPa$sw00rD! John ********* Password Login Settings Min. length 1 0 Min. numbers 1 Min. special characters 1 Min. lowercase 1 Min. uppercase 1 Web application
- 4. Secure by Default Whatcould happen with the concept? To make it more user- friendly, an application uses a weak password policy setting out of the box: simple passwords are allowed. An overworked administrator forgets to implement a secure password policy. Users create accounts with weak passwords. Due to the simplicity of the passwords, the attacker is able to guess the victim’s password very easily. An attacker that is able to retrieve a victim’s username launches a password list attack on his account. Secure configuration: Weak password policy 123456 password dragon … passwords.txt User Password John dragon admin p4ssword Bart IAmTheBest John ********* Password Login Settings Min. length 8 Min. numbers 0 Min. special characters 0 Min. lowercase 1 Min. uppercase 1 Web application
- 5. Secure by Default Understandingthe concept An application that has been built with security in mind from the start: user input is handled with multiple controls. First, client side validation is used. At the server side, input is filtered using framework validation functions. Queries are constructed using parametrized queries. The DB connection user runs with the strictly needed permissions to perform it’s operations. Secure by design: Defense in depth connection := connect_db(readonly_user) query := "SELECT balance FROM data WHERE name = ? "; pstmt := connection.prepareStatement(query); pstmt.setParameter(1, validatedCustname); results := pstmt.executeQuery( ); validatedCustname := ESAPI.validateForDB(custname); Search: customer <form … onsubmit="return validateForm()"> … </form> Web application
- 6. Secure by Default Whatcould happen with the concept? An attacker attacks an application without a well thought security design. The attacker easily bypasses weak client side validation. At the server side, input is filtered using broken self- made validation functions, which the attacker bypasses. Queries are being appended with input parameters. Because of the read-write permissions, the attacker deletes tables, making the application unusable. The DB connection user runs with read write permissions. Secure by design: No or broken input controls connection := connect_db(readwrite_user) query := "SELECT balance FROM data WHERE name = “ + validatedCustname; results := connection.executeQuery( ); validatedCustname := myBrokenValidate(custname); Search: customer’; drop table X; <form … onsubmit="return validateForm()"> … </form> validateCustname; DROP TABLE X; Web application
- 7. Secure by Default Typicalcontrols Design the application securely from the start. Integrate security into the development lifecycle. Apply the concept of least privilege. Components run with the fewest needed permissions. Apply the concept of defense in depth. Implement layered defense mechanisms. Enable safe security settings by default. Consider both application and infrastructure. Disable any unused services or functionality.