Storage Flashcards
Hardcoded Data
*Data can be directly embedded into the source code of a program as opposed to obtaining the data from external sources (e.g. databases, file) or generating it at runtime.
Advantages and disadvantages of hardcoded data
- Fast delivery of code
- Considered and anti - pattern
- Hard to adapt
- Hard to internationalise
- Raises security vulnerabilities
Security issues with Web applications
- Source code disclosure issues occur when the code of a web application is exposed to the public.
- Source code disclosure enables attackers to understand how the application behaves by simply reading the code and checking for logical flaws, or hardcoded username/password pairs, or secret keys.
Security issues with hidden form fields
*Hidden fields are used in web pages to pass information about the current page to the server.
*Hidden fields allow us to send all kinds of information, along with form data entered by a user, without the user having to be involved in the process.
*Hidden fields can also be used to pass information back to scripts
Security issues with reverse engineering
*Software reverse engineering involves reversing a program’s machine code back into the source code that it was written in, using program language statements.
*Someone doing reverse engineering on software may use several tools to disassemble a program.
Embedded Environment variables
*To use forms in flask we need to config a secret key (already covered).
*A secret key is used for securely signing the session cookie and can be used for any other security related needs of an application.
Database security
*The storage and management of massive amounts of, often sensitive data, in databases, makes databases a prime target for cyberattacks.
*Separate Database Servers and Web Servers
- Usually this means keeping database servers in a secure, locked environment with access controls in place to keep unauthorised people out.
*But it also means keeping the database on a separate physical machine, removed from the machines running application or web servers.
Use Web Application and Database Firewalls
*A database server should be protected from database security threats by a firewall, which denies access to
traffic by default.
*The firewall should also protect the database from initiating outbound connections unless there is a specific need to do so.
*In addition to protecting the database with a firewall, a web application firewall can be deployed.
Secure Database User Access
*The least number of people possible should have access to a database.
*In larger organisation, automating access management using access management software should be
considered.
Secure database user access security standards
*On top of this, it is wise to ensure standard account security procedures are followed:
* Strong passwords should be enforced.
* Password hashes should be stored encrypted and salted.
* Accounts should be locked after three or four login attempts.
* A procedure should be put in place to ensure that accounts are deactivated when staff leave or move to different roles.
Regularly Updating Operating Systems and patches
*It’s important to regularly update operating systems and database software with all security patches installed to protect against the most recently discovered vulnerabilities.
*It is also important to ensure that all database security controls provided by the database are enabled (most are enabled by default) unless there is a specific reason for any to be disabled.
*This is particularly important for databases connected to a large number of third-party applications that each require their own patches
Audit and Continuously Monitor Database Activity
*This includes monitoring logins (and attempted logins) to the operating system and database and reviewing logs regularly to detect anomalous activity.
*Effective monitoring should allow compromised accounts to be spotted, when a user is carrying out suspicious activities or when a database is under attack.
*Database Activity Monitoring (DAM) software can help with this functionality by providing monitoring that is independent of native database logging and audit functions; it can also help
monitor administrator activity.
Test database security
*After a database’s security infrastructure has been constructed, it should but put up against a real
attack.
*Hacking or auditing one’s own database will put the penetration (pen) testers in the mindset of an
attacker and help find vulnerabilities that may have been missed.
*To ensure the test is comprehensive enough, there are third-party services and white hat hackers
that specialise in penetration testing that can be hired to do the job.
Encrypt Data and backups
*A database should be regularly backed up with any backups encrypted and stored separately from the decryption keys.
*For example, encrypted backups should not be stored alongside description keys in plaintext.
*Regularly backing up systems not only protects against hackers but other failures as well, such as
problems with physical hardware.
