Campfire #10: Security in Web Applications [Webinar 65min]

On June 12, 2014, Mertech held a Campfire on Security in Web Applications that was led by Mertech representative Oliver Nelson (Senior Technologist). If you missed it, check out the video above.

As more companies are moving towards a cloud-based technology stack, the world of enterprise applications is no longer desktop-centric. In application development, and especially web, security is often not placed as an important enough priority in the development process. This campfire talks about some of the risks and best practices in developing secure web applications.

The first topic presented was that of SSL, and specifically the Heartbleed bug, which has been in the news recently. Heartbleed is an open SSL-based bug, which in certain cases where the SSL specifications require a “heartbeat” or one-byte request, but mistakenly allowed the return of 64 kb of RAM minus 1 kb, which enables hackers to collect whatever data has been collected in RAM. This could include private keys, user names and passwords, and even confidential documents that are sent over the web. Essentially, the vulnerability in the software would allow more data to be read than what should be allowed. The bug also didn’t leave a trail of what had been taken, leaving companies with no way to estimate their exposure.

The lesson to be learned from Heartbleed is that although SSL does help provide protection, it is not automatic – developers still need to do the work to ensure that bugs like Heartbleed don’t happen on their watch.

Passwords are one way to provide security. An important point was highlighted: that the log-in information IS the data. Managers of websites that do not use customer’s financial data have a false sense of security, thinking that it doesn’t really matter for them, but what they don’t realize is that hackers want the log-in information so they can then use it on sites used by the same customer that DO have credit card information, as people tend to use similar passwords across all their websites.

Some tips and tricks for effective management of passwords:

• Don’t require password changes – this actually reduces security of the site because users begin to reuse passwords and use worse and worse passwords over time.

• Never store the actual password – store hashes instead, but… this is not the best either, as if multiple users in one website have similar passwords (ex. Letmein123), they will have the same hash. You can use a separate SALT for each user to avoid this problem. Thus, even if a hacker gets a hold of your database, they can’t use statistical analysis to figure out all the similar passwords across your users.

• Longer passwords are better - The longer the password, the more difficult it is to use Markov Chains and other analysis methods to break it.

The next topic presented was Session Contamination, which refers to when something is in the wrong state in between different users who are accessing an application. Oliver gave one example where Admin rights were accidentally granted to a second user in an application because of incorrect use of properties (the property should have been set to fail at the beginning of each new user session to ensure that no one was getting authorization under the prior user’s rights).

We also talked about SQL Injection, which refers to a situation when the data being called in a SQL query can actually change the way the SQL call executes. The solution is to sanitize any data that comes back from the client. There are many ways to do this, and in fact, all the SQL server back-ends do it differently. With Mertech’s driver, sanitizing is easy with just one function that works for all the supported SQL servers.

This was a great summary of the most important issues in web application security. We look forward to more Campfires as we continue to talk about topics that are interesting to our community.