A lot of things are constantly happening in the web security realm, but which are the things we should focus on and be aware of in 2020? To help you out, I have made a list of the things to keep an eye on.
1. Support SameSite cookies
Last year, Google announced that they will change the default behavior for how cookies are handled in their Chrome browser. The aim is to improve the default security on the web and to combat Cross Site Request Forgery (CSRF) attacks. One area that can be affected is when you send cookies between different domains, such as when we authenticate using OAuth/OpenID-Connect.
Other browser manufacturers will eventually start implementing the same changes.
Actions
Understand the changes!
Start testing your applications right away!
Resources
2. Don't use certificates with a lifetime longer than 1 year
Apple.com recently announced that they will no longer trust certificates that are more than one year old (398 days, to be exact)! This means that the 2-3 year certificates that we usually use today are no longer allowed.
To quote the new policy:
“ Certificates issued SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. Re-use of validation information limited to 398 days.” (source)
Actions
Review your certificates and check their lifetime.
You might want to consider automating the generation and deployment of your certificates using Let’s Encrypt
Resources
3. Start using strong two-factor authentication
Everyone should be using two-factor authentication (2FA) today! You do that, right? Not using it is a really bad idea, because you might be vulnerable to brute-force attacks like password spraying:
During a password spraying attack, the hackers use very commonly used passwords like “password123” and try that single password against all users of a given system.
To protect ourselves, we need to use multi-factor authentication, and a common way to do that is send out codes via text messages. But texts are not as safe as many of us might believe. It is actually very easy for an attacker to gain access to your phone number, which recent attacks have shown:
Instead you should use the various authenticator apps that exist for mobile phones, or even better, use hardware keys like Yubikeys
Actions
Make sure you have 2FA enabled on all your important accounts
Stop using text messages as a second authentication if possible. Complain if your service provider only supports text messages. Take your business elsewhere
Start using authenticator apps or hardware keys; you can find a good tutorial here.
In GitHub, for example, you can require that all users in your organization must use 2FA in order to access your repositories
4. Training!
The reality is that there is a war going on 24/7 on the Internet today, with robots, hackers and governments constantly trying to break into systems! This is a fact!
This means that allowing untrained developers to develop and deploy systems onto the Internet today should be considered a criminal offence, just like driving a car without a driver's education and license. The same goes for us developers, it's not okay to develop software for the web and mobile without understanding the basic concepts of web security!
Understanding the OWASP TOP-10 is of course a good starting point, but it's not enough! Securing your system is a never ending effort and you will never be done, as new vulnerabilities pop up all the time!
Actions
Make sure all your developers are trained in basic web security!
Non-developing IT-staff should also get training on how to handle social engineering, email attachments and other attacks against the organisation.
Incorporate security into your development process; Microsoft is a good starting point, as they offer their Microsoft Security Development Lifecycle (SDL).