- 0 kr
4 important aspects in web security 2020
A lot of things are constantly happening in the web security realm, but which are the things we should focus on and be aware of in 2020? To help you out, I have made a list of the things to keep an eye on.
1. Support SameSite cookies
Last year, Google announced that they will change the default behavior for how cookies are handled in their Chrome browser. The aim is to improve the default security on the web and to combat Cross Site Request Forgery (CSRF) attacks. One area that can be affected is when you send cookies between different domains, such as when we authenticate using OAuth/OpenID-Connect.
Other browser manufacturers will eventually start implementing the same changes.
- Understand the changes!
- Start testing your applications right away!
- SameSite Frequently Asked Questions (FAQ)
- SameSite timeline
- Auth0: Upcoming Browser Behavior Changes: What Developers Need to Know
- Microsoft Warns SameSite Cookie Changes Could Break Some Apps
- Site compatibility-impacting changes coming to Microsoft Edge
2. Don't use certificates with a lifetime longer than 1 year
Apple.com recently announced that they will no longer trust certificates that are more than one year old (398 days, to be exact)! This means that the 2-3 year certificates that we usually use today are no longer allowed.
To quote the new policy:
“ Certificates issued SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. Re-use of validation information limited to 398 days.” (source)
- Review your certificates and check their lifetime.
- You might want to consider automating the generation and deployment of your certificates using Let’s Encrypt
- SSL Certificate Validity Will Be Limited to One Year by Apple’s Safari Browser
- Certificate lifetime capped to 1 year from Sep 2020
- Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months
3. Start using strong two-factor authentication
During a password spraying attack, the hackers use very commonly used passwords like “password123” and try that single password against all users of a given system.
To protect ourselves, we need to use multi-factor authentication, and a common way to do that is send out codes via text messages. But texts are not as safe as many of us might believe. It is actually very easy for an attacker to gain access to your phone number, which recent attacks have shown:
- How I was hacked, and all my cryptocurrencies were stolen!
- How to lose k worth of bitcoin in 15 minutes with Verizon and Coinbase.com
- Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers
Instead you should use the various authenticator apps that exist for mobile phones, or even better, use hardware keys like Yubikeys
- Make sure you have 2FA enabled on all your important accounts
- Stop using text messages as a second authentication if possible. Complain if your service provider only supports text messages. Take your business elsewhere
- Start using authenticator apps or hardware keys; you can find a good tutorial here.
- In GitHub, for example, you can require that all users in your organization must use 2FA in order to access your repositories
The reality is that there is a war going on 24/7 on the Internet today, with robots, hackers and governments constantly trying to break into systems! This is a fact!
This means that allowing untrained developers to develop and deploy systems onto the Internet today should be considered a criminal offence, just like driving a car without a driver's education and license. The same goes for us developers, it's not okay to develop software for the web and mobile without understanding the basic concepts of web security!
Understanding the OWASP TOP-10 is of course a good starting point, but it's not enough! Securing your system is a never ending effort and you will never be done, as new vulnerabilities pop up all the time!
- Make sure all your developers are trained in basic web security!
- Non-developing IT-staff should also get training on how to handle social engineering, email attachments and other attacks against the organisation.
- Incorporate security into your development process; Microsoft is a good starting point, as they offer their Microsoft Security Development Lifecycle (SDL)