Beginner Information Security Tips (Page 1)
Fundamental security concepts everyone should know
Here are some basic concepts for security:
- Document features.
- Never trust user input.
- Web application firewalls are good, but don't just use them as a bandaid on top of bad code.
- Disable debug features in production.
- Perform pen testing.
- Use proper exception handling and logging.
- Don't just save logs. Review them. Manual review is pretty much impossible, but use something that analyzes logs to look for suspicious events and behavior.
- Make sure file octal permissions are correct.
- Install software updates on internet-facing systems. Old software will have known vulnerabilities.
- Perform proper monitoring (to catch things like reverse shells or exfiltration).
- Never reuse passwords.
- Don't have overly-permissive regular expression.
- Consider using kernel security modules.
- Always remember the principle of least privilege.
- Choose tools that make it easy to write secure code. For example, Rust makes memory safety easier than C++.
- Make sure you have proper memory management, otherwise you can encounter overflows or double free issues. Memory security features like ASLR are also good.
- If you're using software you didn't make (example: a web server or database), make sure you read about securing it properly first.
- If you don't know how to secure a feature you're planning on exposing to the internet, don't do it.
- Be aware of APTs, 0-days, and complicated exploits, but make sure you don't miss low-hanging fruit.
- What you want your code to do and what it actually does are two different things.
- Remember that security is an ongoing process and never absolute.
- Try to keep things simple. Complexity is the enemy of security.
- Perform proper unit, integration, and regression testing.
- Don't hardcode credentials.
- Never store passwords in plaintext.
- Don't assume things will go as planned.