Don’t wait until it’s too late: things you can do today to prevent a future data breach crisis
In the past few months, presumably like many specialists in the IT field, we have been intently watching the security topic becoming more relevant than ever. More and more news about data breaches in various platforms, scared, angry, or confused customers and increased attention to the topic is the reality now.
What is a data breach?
To describe it briefly, a data breach happens when confidential, protected, or sensitive information is accessed by an unauthorized person. Most of the time, the goal is to steal the information, which would help to identify someone and use it to commit fraud. Such exposure of sensitive data can cause serious problems not only for individuals but for businesses and even governments too. Unfortunately, quite a lot of websites and products have gaping flaws, such as a lack of encryption, and hackers are smart enough to take advantage of it.
Along with an increasing number of data breaches, the number of articles with significant recommendations for the victims is growing too. Professionals begin to analyze the lessons learned and discuss future challenges. However, in this whole swirl of information and recommendations, we have missed the important information — as a programmer or an architect, what specifically can you do differently? To avoid using SHA1 passwords for hashing and to not leave important information publicly available — we all understand that by now, but what else?
Recently, Justinas Kuizinas, our Senior BackEnd Development Team Lead, gave a short presentation to the Corner Case Technologies team on what he thought was relevant to start the discussion on this topic and it resulted in a very engaging discussion, indeed. Thus, we have decided to share this valuable information in a post, maybe you will find something useful.
The main ideas and recommendations:
1) SHA1 cannot be used for hashing passwords
To answer the question “why?” is relatively simple: using the SHA1 algorithm with the word “mypassword” you will always get the same hash value, let’s say `x`. Meaning that if the database is leaked and someone finds the hash value `x` next to an unfortunate user, his password is “my password “.
Naturally, a very good follow-up question arises — what algorithm should be used instead? OWASP comes to the rescue and whispers that PBKDF2, Bcrypt and Argon2 (a winner of the “Password Hashing Competition” in 2015) are the options to choose from.
Why are the latter better than SHA1, you might ask? Because they use salt and iterations. Salt is a unique value for each user that is used to create a password hash while iteration number defines how many times you hash a password before you store it in your database (for instance, in our new projects we started using an iteration number of 260,000). This means that programmers will have to work really hard until they guess one password, and even if their guess is right, they will not be able to compare it with other passwords in that database. Due to each user’s unique salt, even the same password hashes will not match. Hence, they won’t be able to take advantage of Rainbow Tables either.
2) OWASP online community
OWASP is another recommendation of ours. They provide a variety of useful reports, recommendations, and insights in the field of web application security. If you don’t like long reads, simply review the “cheat sheet” for the main recommendations.
3) Security questions should no longer be a tech-debt
A classic scenario where the topic of security is sidelined “until we get out into the production environment or have more funds available” is when programmers and, especially, architects should say “stop, now let’s take the time for the necessary non-business requirements.”
The key is to do a consistent security assessment. The security of a platform or infrastructure cannot be ensured by simply checking it once at the beginning of the project and once before launching it into the world. It should be understood that just as in the CI (Continuous Integration) steps we ensure that the tests have passed successfully, we could also include the following steps: ZAP scanning at least once a week, vulnerability checking for the project libraries, static code security analysis, Docker images scanning, etc.
When programming specifically in Python, a good starting point can be `bandit` and `safety`. Infrastructure inspections, which might be difficult for the project team to carry out, should not be forgotten as well. Therefore, it is encouraged to request an audit from the specialists in the field.
4) Learning, learning, and learning once more
What Justinas has learned from the Master studies in security and the professors who have taught him is that vulnerabilities occur every hour, minute, second, or perhaps even more often, thus it is certainly not enough to read one article on security or make one update per year.
The rule is very simple — there is no secure platform, it is only a matter of time and resources for someone to visit it illegally. However, by constantly looking after our platform, we can stave off these unpleasant hacker visits. Prevention is the best defense here!
Lastly,
Here at CCT, we give security and high-quality work a lot of attention, we specialize in advanced coding conventions and perform System Code Audit both internally and externally. Its purpose is to identify security risks, manageability, performance, and bugs within code and, in general, to get a second pair of expert eyes to peer review or advice on improvements. We can assure you that the assessment of the system code will be impartial and objective, provided by only mid to senior developers, who are real experts in their field with a minimum of 5 years experience in software development. As a result, our audits are short, targeted, and can cover details often missed by less experienced personnel.
The audit can cover code in Python, JavaScript, and JAVA and help your company to depict security vulnerabilities, including breaches. If you think your organization would benefit from a System Code Audit or any other services related to digital product development, or if you have any questions regarding security, feel free to contact us at hello@cornercasetech.com or visit our website: www.cornercasetech.com.
