6 Security by scrutiny

 

This chapter covers

  • Understanding security as a whole
  • Leveraging threat models
  • Avoiding common security pitfalls like SQL injection, CSRF, XSS, and overflows
  • Techniques to reduce attackers’ capabilities
  • Storing secrets correctly

Security has been a commonly misunderstood problem as early as that unfortunate incident at Troy, an ancient city in what is now western Turkey. The Trojans thought their walls were impenetrable, and they felt secure, but like modern social platforms, they underestimated the social-engineering abilities of their adversaries. The Greeks withdrew from battle and left a tall wooden horse as a gift. The Trojans loved the gesture and took the horse inside their walls to cherish it. At midnight, the Greek soldiers hidden in the hollow horse got out and opened the gates, letting the Greek armies in and causing the downfall of the city. At least, that’s what we know from the postmortem blog posts of Homeros, possibly the first instance of irresponsible disclosure in history.

6.1 Beyond hackers

6.2 Threat modeling

6.2.1 Pocket-sized threat models

6.3 Write secure web apps

6.3.1 Design with security in mind

6.3.2 Usefulness of security by obscurity

6.3.3 Don’t implement your own security

6.3.4 SQL injection attacks

6.3.5 Cross-site scripting

6.3.6 Cross-site request forgery

6.4 Draw the first flood

6.4.1 Don’t use captcha

6.4.2 Captcha alternatives

6.4.3 Don’t implement a cache