chapter six

6 Security by scrutiny

 

This chapter covers:

  • Understanding security as a whole
  • Leveraging threat models
  • Avoiding common security pitfalls like SQL injection, CSRF, XSS, overflows
  • Techniques to reduce attacker’s capabilities
  • Storing secrets correctly

Security is a commonly misunderstood problem throughout history as early as that unfortunate incident at Troy, an ancient city in today’s western Turkey. Trojans thought their walls were impenetrable and they were secure, but like modern social platforms, they underestimated thesocial-engineering abilities of their adversaries. Greeks withdrew from battle and left a tall wooden horse figure as a gift. Trojans loved the gesture and let the horse inside their walls to cherish it. In the midnight, the Greek soldiers hidden in the hollow horse got out and opened the gates, letting the hidden Greek armies in, causing the downfall of the city. At least, that’s what we know from the post-mortem blog posts of Homeros, possibly the first instance of irresponsible disclosure in the history.

6.1   Beyond hackers

6.2   Threat modeling

6.2.1   Pocket-sized threat models

6.3   Write secure web apps

6.3.1   Design with security in mind

6.3.2   Usefulness of security by obscurity

6.3.3   Don’t implement your own security

6.3.4   SQL Injection attacks

6.3.5   Cross-site scripting

6.3.6   Cross-site request forgery

6.4   Draw the first flood

6.4.1   Don’t use captcha

6.4.2   Captcha alternatives

6.4.3   Don’t implement a cache

6.5   Storing secrets

6.5.1   Keeping secrets in source code

6.5.2   Data shall be leaked

6.6      Summary