Jobert Abma: The Ten Commandments of Security

published May 20, 2011

Summary of talk at the PyGrunn conference.

Jobert Abma, ethical hacker at Online24, talks about the ten commandments of security, at the PyGrunn conference in Groningen, The Netherlands. Organized by Paylogic and Goldmund Wyldebeast & Wunderliebe.

I will discuss ten things you need to think of to get a secure application.

1. Your application is not the only attack vector. There can be weak passwords in other parts of the stack or server. Social engineering can become an issue.

2. Conduct risk assessments to identify risks. Then you start controlling them. You can score a risk on Confidentiality, Integrity, Availability.

3. Only trust your own code. And double check. The platform you are developing on can have security problems.

4. 'Security by design' solves major issues. Application logic is an important part. Centralize validation.

5. Always be aware of technical issues, like CSRF, XSS.

6. Time (mis)management. You don't always get time from your manager to solve security issues, even when you are aware of it.

7. Keep track of design documents and documentation. Is the design secure? Does it still match the current functionality?

8. Process designing is one of the most important processes securing an application. If a checkout process in a web shop is not designed well so that 10,000 euros each day end up on someone else's bank account, that is a problem.

9 Security can clash with usability. 'This email is not in our database' is potentially interesting knowledge for an attacker.

10. Information is power. Encryption on the server side and on the transport layer. If your database gets hacked, does that give the attacker information he can use, like passwords and credit card numbers?

One more thing: handle input as being dangerous. It will save your ass more than once.

Summary: Security is not just a bunch of tricks. It is a process.