Saint Louis Software Banner

Beginner Information Security Tips (Page 1)

Fundamental security concepts everyone should know

Alan, 8/24/2018

Here are some basic concepts for security:

  • Document features.
  • Never trust user input.
  • Web application firewalls are good, but don't just use them as a bandaid on top of bad code.
  • Disable debug features in production.
  • Perform pen testing.
  • Use proper exception handling and logging.
  • Don't just save logs. Review them. Manual review is pretty much impossible, but use something that analyzes logs to look for suspicious events and behavior.
  • Make sure file octal permissions are correct.
  • Install software updates on internet-facing systems. Old software will have known vulnerabilities.
  • Perform proper monitoring (to catch things like reverse shells or exfiltration).
  • Never reuse passwords.
  • Don't have overly-permissive regular expression.
  • Consider using kernel security modules.
  • Always remember the principle of least privilege.
  • Choose tools that make it easy to write secure code. For example, Rust makes memory safety easier than C++.
  • Make sure you have proper memory management, otherwise you can encounter overflows or double free issues. Memory security features like ASLR are also good.
  • If you're using software you didn't make (example: a web server or database), make sure you read about securing it properly first.
  • If you don't know how to secure a feature you're planning on exposing to the internet, don't do it.
  • Be aware of APTs, 0-days, and complicated exploits, but make sure you don't miss low-hanging fruit.
  • What you want your code to do and what it actually does are two different things.
  • Remember that security is an ongoing process and never absolute.
  • Try to keep things simple. Complexity is the enemy of security.
  • Perform proper unit, integration, and regression testing.
  • Don't hardcode credentials.
  • Never store passwords in plaintext.
  • Don't assume things will go as planned.