�1

2018 Security Best Practices

Your Ultimate Guide

Operating a company with one or more web applications, managers mostly think about, how they can create the best possible experience for their customers. Deploying new features in a short period of time is an objective that most development teams live by. As a downfall of this agility, managers often neglect that their web application acts as a virtual business card and therefore needs to be sufficiently protected. Recent research has shown that every company can be the victim of a cyber crime attack. As shown in a report on the „State of Cybersecurity in Small & Medium-Sized Businesses“ by the Ponemon Institute 1

the percentage of targeted companies that are small and medium-sized reached 61% in 2017. So it’s not only the major corporations being attacked but every regular company is a potential victim.

Most companies have a tight IT security budget and time is an even larger issue. Even though a high security budget can be beneficial, there are some things that are essential for a company’s security and cost little to no money. The following paper outlines the fundamentals that should be included in every security policy.

1. Security needs to be a priority!

There are a few valid reasons why a company is not (yet) at a sufficient level of security. Not prioritizing security is definitely not one of them, which is why it is even more alarming that almost half IT decision makers still don’t make security a priority . 2

Like Amazon VP & CTO Werner Vogels said at the Bits & Pretzels in 2017: “Without Security you have no Business!“ , which is why security 3

should be as important as functionality both for

development and management. If the created functions and features have security flaws, the company will lose customers and go out of business . 4

1.1 Security starts at the top

By being a top level discussion security becomes a ubiquitous issue. The current security status should be included in weekly meetings to have it present in every department at any given time. As with any important topic, the right management is important to have security in the back of employees minds in every decision they make.

1.2 Create and allocate resources

No IT department has limitless financial capabilities. You should however create enough resources to secure your business. Fixing a data breach after finding the vulnerability is ten times more expensive than mitigating the risks 5

before the vulnerability is exploited. Because of that, it is crucial for organizations with vulnerable web applications to get the budget, personnel and IT infrastructure to secure what is most valuable for the company. If you can not afford a full-time security employee, you should at least make one employee responsible for security (for example the CIO or CTO). That way every decision is double-checked on its impact on the security status.

1.3 Every team has different priorities

Making security a priority is highly important, but it does not mean that companies should spend all of their money on it. Especially medium-sized organizations should rather pick sub-priorities and make sure that they protect their most valuable assets. Not every company has the same system and data-structure, which is also why this is no checklist of things that need to be secured, but more of a guide on how to get a basic security level on which an individual protection can be built.

2. Employee education

Surveys show that the main cause of data breaches are negligent employees . 6

Even though this cause is easy to avoid, managers still don’t pay much attention on how well their employees are educated on security

�2

54% of data breaches are caused by negligent employees.

„Without Security you have no Business!“ - Werner Vogels

(VP & CTO Amazon)

procedures. Especially for companies with highly valuable information it is critical that every employee has the same level of security knowledge.

2.1 Security as a part of the culture

Talking about security at the top-management-level is important, but not really helpful if most of the people in the company are not aware of security issues and how to prevent them.

A security plan can be formalized in order to have the security strategy documented and available for everyone. This is especially important if you are looking at getting yourself ISO certified. Every employee should know about the security plan and the basic security measures they can take in their day to day business. A part of that plan can be a password policy which is enforced for every user of the system. What this policy might look like will be covered in the next chapter.

Additionally the security status of the entire company can be visualized on a dashboard in regular meetings to let everyone know how their work impacts the security of the organi-zation. By continuously raising awareness you can make sure that the goal of securing the company’s data is kept in every employees mind.

2.2 Training employees on security issues

Security is as simple as telling co-workers to lock their computer whenever they leave their workspace out of sight. Getting into someones data is easy if there is no single security layer. Another simple practice people should be aware of is to update software whenever possible. Hackers use known vulnerabilities to hack into systems. Software updates include bug fixes and security patches that make the hackers’ life much harder.

For more specialized issues (e.g. Phishing Attacks) educational workshops can be helpful. That way employees are able to detect attacks in an early stage. Additionally a reward system can be established, where employees are rewarded for noticing and reporting vulnera-bilities or attacks.

People working with the IT infrastructure and especially developers, should be given special trainings on secure coding practices. We will discuss the topic of secure coding more accurately in Chapter 7. 3. Password policy

As mentioned earlier a password policy needs to be a part of an organizations security plan. This policy needs to be followed not only by employees, but by every user of the system. There are a few things everyone should keep in mind when creating a password.

3.1 Passwords need to be strong

Hackers have databases of passwords that are used often, so the stronger the password, the more secure is a system. Experts suggest using passwords that are at least 20 characters long and include special symbols for hackers not to crack them . 7

3.2 Unique passwords for every appli-cation

If a strong password is cracked in any way, a hacker should not be able to have access to every single application. Creating a unique password for every single application is crucial in order to secure the entire IT landscape.

3.3 Frequent password changes are critical

Users should be required to change their password every 30-60 days. A strong password of 20 or more characters takes a hacker more than 60 days to crack. By changing passwords regularly, hackers have to start over again which makes the application even more secure.

3.4 Password managers can be helpful

Strong and unique passwords are difficult to remember and writing them down is the least recommendable option. By installing a pass-word manager users don’t lose track of their passwords and only have to remember one master-password, which then would need to be as strong as possible to protect all other passwords.

�3

3.5 Two-factor authentication as an addi-tional layer of security

Two-factor authentication is another easy and effective way to establish multiple security layers for an application. Even if a hacker cracks the password of a user, there is still another layer of authentication (e.g. via phone number) required to access the system.

4. Access control

Access control is extremely important for every company having a large number of users on their system.

4.1 User verification needs to be estab-lished

By controlling who has access to the system, a company takes the first step to protect its data from outside threats. Especially third parties should be monitored and verified. All input can be malicious and a sufficient verification needs to be set up for every user / party requesting access. The company’s password policy should be applied to all users entering the system.

4.2 Principle of least privilege

After verifying users it is still crucial to be as restrictive as possible with user privileges and roles. Users should be given the least privileges in the beginning and can be provided with more access afterwards in case it is necessary.

The separation of duties is another principle that goes hand in hand with the least privileges. The SANS Institute suggests in its report , that 8

users should be divided into different roles. Even top-level managers should only be allowed to see what they really need for their job. This doesn’t just keep the data safe but also ensures improved focus to what an employee is actually working on. The circle of privileged users and administrators, that have more access than any other employee, should be kept to a minimum. These users also need to be kept under supervision and act according to compliance regulations.

5. Data security

After the people using it, data is the most valuable asset for every organization. Data is

what drives business value, however that value might look like. A company needs data to know its customers and the customers want their data to be safe with that company. Especially cloud services, e-commerce platforms and any businesses interacting with mobile devices are vulnerable to data breaches and manipulation.

5.1 Data risks across the organization

There are a few risks connected with data that all businesses face. The confidentiality risk is that customers trust companies enough to give them their data. Because of that, all data should be stored in a safe and secure way. The risk of integrity means that a company’s system always needs to be protected against unau-thorized modification. Lastly there is an availa-bility risk because data is needed to run the operative business. Losing access to data can lead to large financial losses.

5.2 Data Back-Ups

Ransomware attacks are on the rise. 58% of respondents on the Survey by the Ponemon Institute state that ransomware attacks would have serious financial consequences for their business. By running data back-ups companies can ensure to have access to it in case of a ransomware attack.

6. Secure coding

According to the Ponemon Institute most 9

SMEs experienced phishing/social engineering or web-based attacks which are mostly caused by uneducated employees (as mentioned earlier). However 24% had issues with SQL Injections which are preventable by developers writing secure code. Especially if companies are dealing with mobile/IoT devices they should make sure, that there are no vulnerabilities since these devices are most likely to be targeted by hackers.

6.1 Simple code is secure code Most companies want their developers to create many fancy features which basically means many lines of code. The problem arising: The more lines of code are written, the more code can be vulnerable for an attack. The code should be as simple as possible to be safe.

�4

6.2 Minimize attack surface area

Everything that is open for the public is open for an attack. Therefore the number of public endpoints should be limited and secured properly. An example for such a measure is to only allow access to a server with an SSH Key.

6.3 Any input can be malicious

All input coming from users or any other third party can be bad for a system. Sanity checks can be used to control if the input from outside contains any malicious data. For example use prepared statements or model bindings when performing database operations. Most frame-works will support these programming para-digms and prevent things like SQL Injections.

6.4 Establishing secure defaults

The default settings an application has should always be the most secure and restrictive ones. If a user needs different options or more access to something it should be granted later on. It is always easier to protect your data first rather than trying to restrict access at a later stage.

6.5 Planning for failure

It is most likely that programs and applications will fail. Having exceptions in the code ensures that it does not allow an inconsistent state of the application. Security routines such as authentication need to be correctly passed before granting privileges.

An example is the following code:

Now think of a problem in the fail method. If it does not work correctly, the show_content method is run. To increase the security, statements can be flipped.

That way, an error in the fail method has much less effect.

6.6 Use standard algorithms

Good encryption algorithms are there for a reason. Creating own algorithms leaves room for mistakes made by developers. Using standard algorithms makes developers more productive while ensuring a safer code.

6.7 Avoid security by obscurity

Having secret URLs is a good way to keep people from entering a site. However it does not entirely control the access to that site. For example a secret URL for an administrator dashboard is not sufficiently secure without additional password protection. Secret URLs should be an add-on and not the basic security measure.

6.8 Continuous code testing

Testing the code closely after developing can save the developer a lot of time which would be needed to fix a vulnerability in a later stage. According to the WhiteHatSecurity 2016 Web Applications Security Statistics Report the 10

average age of a critical vulnerability is 300 days with less risky vulnerabilities being open even longer.

This makes them an easy target to be exploited by hackers simply because they have so much time to find the vulnerability. Insufficient code needs to be patched immediately to make sure there is no room for hackers to enter the system. For organizations with a continuous integration process it can also be helpful to employ source scanning and dynamic scan-ning.

�5

6.9 Four-eyes policy

By following a four-eyes policy more people have a look on the code. This increases the probability of someone finding a potential vulnerability. Developers can mutually review their codes to save time and make sure that their co-workers are developing securely. That way they can also learn about common mistakes other developers make.

6.10 No security without a secure platform

All of the practices above are useless if the platform provider does not follow them as well. The used infrastructure should have sufficient security standards to keep the entire system from being hacked. External platforms should always be thoroughly verified and checked continuously.

7. Continuous security testing

All of the indications mentioned above are easy ways to mitigate the risk of vulnerabilities arising. However, people make mistakes and there is always the probability of someone writing code that is not 100% secure. A good method to make sure the organization is safe, is to use continuous security tests. Especially for agile developers using continuous inte-gration and continuous deployments (as seen in Figure 1), manual penetration tests are often too expensive and too slow.

Services like the Crashtest Security Suite offer an automated and continuous solution, that can be integrated into the development process from the very beginning. By continuously testing for vulnerabilities, developers can patch these security flaws directly and have more time to concentrate on the functionality and features that actually matter.

The feedback to their code and an integrated knowledge base also help developers to adapt

secure coding practices into their daily work-flows. As most companies do not have sufficient security expertise this can be helpful in all stages of the organizations life cycle. In addition managers get a continuous update on the company’s security status through an integrated dashboard and e-mail reports after every scan of the application.

8. Conclusion

Web applications are vulnerable. They always have been and they always will be. It is up to the developers and management, how these vulnerabilities are dealt with.

Keeping a company secure is not as difficult as it may seem and there are some fundamentals to be kept in mind that are cheap and easy to follow.

Employees are the security base of any organization. That is why they should be continuously supervised and educated.

If a security culture is established throughout the entire company, vulnerabilities are less likely to show up.

Keeping the code simple and safe and testing it continuously is the first thing developers need to do to reduce the risk of data breaches.

�6

The IT industry has the highest average age of vulnerabilities with

875 days.

Figure 1: Security in the Agile Development Environment

About Crashtest Security

Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans. As an innovator within cyber security for web applications, Crashtest Security develops automated vulnerability assessment solutions enhanced with artificial intelligence developed for the needs of the agile developer or DevSecOps. The clear vulnerability insights provide transparency and actionable insights to enable efficient risk mitigation and particularly reducing the risk of getting hacked. Find out more at www.crashtest-security.com.

Sources

https://keepersecurity.com/2017-State-Cybersecurity-Small-Medium-Businesses-SMB.html1

http://www.information-age.com/cyber-security-still-not-top-boardroom-priority-123468999/2

https://twitter.com/VerVieVasVideos/status/9119850213549547543

https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-eliminated-heres-how-4

you-can-survive-i.html

https://www.sixsigmablackbelt.de/fehlerkosten-10er-regel-zehnerregel-rule-of-ten/5

https://keepersecurity.com/2017-State-Cybersecurity-Small-Medium-Businesses-SMB.html6

https://www.nytimes.com/2016/01/14/business/smallbusiness/no-business-too-small-to-be-hacked.html7

https://www.sans.org/reading-room/whitepapers/compliance/tech-startup-about-security-privacy-8

compliance-35792

https://keepersecurity.com/2017-State-Cybersecurity-Small-Medium-Businesses-SMB.html9

https://info.whitehatsec.com/rs/675-YBI-674/images/WH-2016-Stats-Report-FINAL.pdf10

�7

�8

Crashtest Security GmbH Wilhelm-Hertz-Str.14a

80805 Munich +49 (0)89 215 41 665

www.crashtest-security.com