Another week, another data breach
As we develop web sites and APIs, we need to keep security in mind. I know this is obvious, but it is also something often overlooked. It is not glamorous. It is not something that has perceived value by many in management. That is, until there is a security breach and associated bad publicity. Security vulnerabilities come in many different guises. Many have one thing in common – they were addressed many years ago. Yet, we often keep making the same mistakes on sites. We know how to fix many of these. We simply have not forced the idea that security must be incorporated into all our work processes. Just look at the OWASP top 10 vulnerabilities. Sure there are differences between the 2013 and 2017 versions, but there are many similarities as well. Cross site scripting remains a threat (as does SQL injection and many other vulnerabilities).
We all need to be thinking about security as we develop web applications. However, those teaching application development need to stress this in every project assigned. Unless security becomes ingrained in our application development process we will continue to repeat the mistakes of the past. And. Data breaches will continue.
We can (and must) do better
As an educator, I often stress the idea – “trust your visitors, but never trust their input.” For every form submission, one should be thinking of sanitizing input. As a teacher, do not accept an assignment as complete unless there has been both client and server side validation on all input fields (even selection lists). After all, one can easily disable JavaScript in the browser or modify the input stream so additional information can be sent to the server.
If information submitted from a form is going to be added to a database, one should sanitize all the information. One should also use appropriate measures (such as stored procedures or similar) to prevent uploads of malicious code.
We should always only collect the minimum information needed to complete a given task. If there is no need to collect physical mailing address information, don’t (this is just one example). Obviously, if you are collecting credit card information, don’t offer to store the card details, only keep the transaction information.
Whether you are teaching web page development using a tool like Dreamweaver or teaching using tools like Atom or Brackets, it is important to keep security in mind with every assignment. If you are using a framework (such as Vue.js on the client side or Laravel for PHP on the server), make certain you take advantage of security as well. Test your applications against known vulnerabilities before deploying them (or before you accept an assignment as a teacher).
Use SSL where appropriate
If you are asking for login information, make certain the information is sent encrypted. One can easily employ Let’s Encrypt SSL certificates these days (or employ similar technologies). Use them. Never send credentials in plain text over the Internet. Use secure FTP (or other secure file transfers).
For those teaching these technologies, if you are not certain how to incorporate security into your assignments, please reach out to us in the comments. We will be glad to help.
These days, one can not be paranoid enough.
We look forward to your comments.
Best always,
Mark DuBois
Community evangelist and Executive Director
Web Professionals