Question

If you have ever toured a well‐engineered medieval castle, you have walked through a defense in depth. The ultimate goal is to keep the bad guys out. You have to cross a moat and get through the outer portcullis, and the castle itself is usually in a well‐defended place on a cliff somewhere with high walls and arrow slits in the wall for archers. Individuals who do web development should think about their processes of defense in the same manner.

The personal information and intellectual proprietary information need to be hosted in the most innermost, protected area of the castle so that if attackers get over the moat, they still have not been able to get the keys to the kingdom. There are several mechanisms you can put in place that will protect web applications. Most web applications use the authentication, session management, and access control triad to reduce their attack surface. They have interdependencies, providing overall protection. Any defect in any part of the triad could possibly give an attacker access to the data.

Authentication is the most basic where you have to prove you are who you say you are by logging into a site. After you log in with a strong password or multifactor authentication, the authenticated person's session must be managed. This is usually done with some sort of token. When a user gets a token, the browser submits it to the server in each subsequent HTTP request. If the user is not active, the token will ideally expire requiring that user to log in again. Access control is put in place to make and enforce who has access to what. If this has been deployed correctly, it will know if this user is authorized to perform an action or access the data he or she is requesting.

Even using this triad, no web application or technology has proven to be invulnerable. New threats and techniques pop up every day that add a dynamic element to defense. Bad guys attack and we move to defend. Anyone who is in a development role must realize that you can maintain security in your web applications during the actual development of those tools. A good rule of thumb is to assume all input to be hostile. Input validation is done so that only properly formed data can be placed in a web application field. The next time you pull up a form, check to see whether you can add letters in the field for a ZIP code. That field should accept numbers only, as well as only a certain number of numbers.

Encryption is another defense mechanism whether it's protecting data in transit or data at rest. You must implement an authentication plan, but the data those services shared must be encrypted in some way. An open, unsecured web service is a hacker's best friend, and there are algorithms that can crawl the web looking for this.

Another development‐focused security tool to implement is exception handling. Think of the last time you mistyped your username and password. Did the error tell you it was your username or your password? Ideally, it should be generic. If the error message was that your password was incorrect, hackers now know that the username was correct and to focus their efforts on your password. In any case, the exception or error should reject or fail closed. An application that fails securely will prevent operations from happening that shouldn't.

Lastly, don't forget auditing and logging as well as quality assurance and testing. Logs often record suspicious activity and can provide individual accountability. If you can, hire a third‐party service that specializes in penetration testing or vulnerability scanning. In college, one of the best practices was to have another person read your thesis. You become immune to your errors. You know what you meant to say, but did you say it right? Getting someone with expertise to give your application a test can make the difference between a multimillion dollar breach and no breach at all.

I'm lucky enough to call Chris Roberts, the Sidragon himself, a friend. I would hate to be unlucky enough to call him an enemy. Physically imposing, even when wearing a kilt and sporting a foot‐long blue beard, he is one of the best security researchers out there and one of the nicest guys you'll ever meet. He says, “There are those of us in the know, we know what is going on and there are too many organizations out there saying, ‘Oh, we are perfectly safe,’ but we do have a hell of a lot of people who are unaware.” We have to learn and evolve.