Saint Louis Software Banner

Beginner Information Security Tips (Page 3)

Fundamental security concepts everyone should know

Alan, 8/24/2018

Here are some basic concepts for security:

  • Use firewalls.
  • Use encryption whenever you can. Encryption is important for both data in motion and data at rest.
  • Remember that anti-malware software is not a fully-featured endpoint security solution.
  • Don't trust public wifi.
  • Use VPNs on public networks, but even then, realize VPNs can be compromised.
  • Open source can theoretically increase security by allowing people who use your software to submit pull requests, bug reports, and more. However, be cautious of code that is submitted to your project.
  • Make sure your site isn’t vulnerable to local file inclusion or remote file inclusions attacks. These can be used for web shells, such as WSO or C99.
  • When you accept user input, test it against possible command injection attacks. Make sure it’s not vulnerable.
  • Any uploaded files need to be properly validated. Just like text, you can’t trust uploads. Even something seemingly benign like a user-uploaded profile picture can either have files embedded within the file, or even PHP shell code command injection via metadata headers, which can be used to get a web shell.
  • Protect your site against cross-site scripting.
  • Make sure your site is protected against cross-site request forgery.
  • Anyone can design something that they themselves cannot figure out how to hack. However, that does not mean it's hack-proof.
  • Just because there is no public exploit for a security vulnerability doesn't mean no one is exploiting it.
  • Use IDS/IPS/SIEM.
  • OSINT, for both passive and active information gathering, can be used for hacking or phishing.
  • Learn about the concepts of privilege escalation and remote code execution.
  • Segment a network to protect against pivoting.
  • Disable Word macros.
  • Keep track of changes and inventory.
  • Patch critical security updates out of band if need be.
  • Offer a bug bountry program.
  • Work with security researchers instead of against them.
  • Parameterize database queries.
  • Use prepared statements.
  • Perform checksum verification after downloading something.
  • Remember that JavaScript can be used to deliver malware, or even deanonymize Tor or VPN users.
  • Instead of IP addresses or cookies, browser fingerprinting is another way to identify or track users.

For more information, check out this presentation about security I made a while ago.