• By Alito Alvarez
Alito Alvarez

I recently attended the Skillsmatter Fullstack Conference, which proved to be a great learning opportunity. A wide range of topics were covered including really useful browser tooling advancements, from Google's Addy Osmani, studies of Typescript, ECMA6 (the latest revision of Javascript), UI & UX best practices as well as so much more.
In my opinion, the two most important talks were on securing web applications against hackers.

How developers can own their own security

This talk from Tim Buntel and Paul Boss encouraged developers to tighten up security in their web applications.

A number of good resources already exist to raise awareness of common pitfalls when building web applications. Top of the list is the OWASP top ten, a project dedicated to cataloguing the ten most common mistakes made. This is updated every three years and the top ten list is relatively unchanged year-on-year. It is due an update in 2016 but as of 2013 looked like this:

  1.  Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

These problems may or may not mean a lot to you but they're worth noting since the number 1 problem - (SQL) injection was a technique used in the recent (Dec '15) TalkTalk hack

The second half of the talk was geared towards apps and information to enable developers to improve their own security. Also developed by the OWASP group, is the WebGoat application and an associated series of tutorial aimed at exposing and fixing problems with sites. On a more Microsoft slant, the OWASP .net project is a .net-centric project showcasing the best practices for web-application security.

Two factor authentication

Twilio's Phil Nash gave an excellent talk on implementing two-factor authentication, something we hope to bring to Sitecore soon.

As a developer we are able to improve the security of our code but one area we don't have much control over is a user's password, which unfortunately is often very poor. Recent exploits such as the Ashley Madison hack have exposed user's passwords and from this we've been able to observe that the most common passwords are worryingly insecure.

Most popular Ashley Madison passwords
123456 120,511 users
12345 48,452 users
password 39,448 users
DEFAULT 34,275 users
123456789 26,620 users
qwerty 20,778 users

This leads to another common hacking technique whereby the most popular password is used to try and crack a number of different accounts (also bypassing account-specific brute-force lockouts).

One excellent way to improve the state of security and mitigate poor user password choices is to enable two-factor authentication, whereby a user receives an SMS or generates a unique (usually time-based) code with an app or hardware token. In order to login, the user must submit both their password and this code.

There are a number of good resources for learning how to implement these in the language/platform of your choice, the asp.net site has a good tutorial and the talk covered implementing such a solution in node.js.

The bottom line is that any improvement that can be made to a user's security is worth taking.

scroll back to the top of the current web page