Glenn Stovall's Public Notebook

Security

What are some common security holes that could exist in your application, and what can you do to prevent them?

Application Security

Injection flaws

  • Injection flaws are when a user is able to enter a string that is executed. Types include SQL injection and shell injection.
  • never use string concatenation to compose SQL or shell commands. Always use a library that escaps and sanitizes the strings for you.

Buffer Overflows

  • An issue where a buffer is overflowed, and overwrites adjacent memory locations.
  • Most languages are memory safe and you don't have to worry about this, unless you writing low-level code in C/C++.

Insecure Cryptographic Storage

  • use a one-way hash on secure data.
  • prefer libraries like BCrypt over solutions like SHA-256 for secure information.
  • use reversible encryption when appropriate, for example on customer data you may need to retrieve.

Insecure communications

  • always uses secure protocols such as HTTPS. avoid non-secure protocols like HTTP and FTP
  • limit access to internal data, for example using a VPN.

Improper Error Handling

  • Don't leak sensitive information in error messages.
  • This includes logging data to error handlers. Don't accidentally send the user's password to Bugsnag.

Cross-Site Scripting (XSS)

  • sanitize all user input, including what comes from the URL query string
  • have a content security policy (CSP) that bans inline JavaScript
  • avoid passing data to HTML directly, like using dangerouslySetInnerHTML in ReactJS or using document.innerHTML.

Cross-Site Request Forgery (CSRF / XSRF)

  • use origin headers or CSRF tokens to ensure origin of request is allowed.
  • never modify data/state using GET requests.

Two-Factor Authentication (2FA)

  • Always confirm that the user in at least two of the three following ways:
    • something they know (password)
    • something they have (authenticator, phone)
    • something they are (biometrics)

Authorization Errors

  • be vary wary of what authenticated users can access and do.
  • be mindful of communciations people receive. For example, should a user receive that email or push notification, or do they not have the required permissions?

Further Reading