The web is a hostile place. There are no real governing and policing bodies protecting “good citizens”. There are no borders. There are lots of bad but very clever people trying to exploit the good citizens. The (current) underlying protocols (TCP/IP and HTTP) provide little in the way of protection but offer many attack vectors. In the end, it’s up to each site to largely protect itself.
It’s not easy, even when you’re aware of the typical vulnerabilities and diligent about securing against them. Recently I was involved in a project in which an attack vector was accidentally left wide open through a one line oversight in a Grails application. Grails has excellent built-in protections against attach vectors such as XSS (Cross-Site Scripting) and SQL injection- assuming you actually take advantage of them. In this case, our team had enabled XSS protection on pages via the “render as HTML” global configuration- this setting forces all variables written to the HTML page via GSP to be encoded as HTML. Unfortunately, we were also making heavy use of taglibs (which are not affected by the global setting), and in one taglib we failed to manually encodeAsHtml() a single parameter which was subsequently exploited when the site was penetration tested.
One hole. Busted.
Moral of the story:
- Be very familiar with ALL common (and hopefully some of the uncommon) web vulnerabilities. A good list can be found here: http://www.owasp.org/index.php/Top_10_2007.
- Leverage best practices in software development: code reviews, TDD, vulnerability testing, etc.
- Think like a hacker: try to crack your own site.
- If you’re developing a site with critical financial or privacy data, spend the money to have high quality independant vulnerability tests performed.
I’ll be adding more security best practices and lessons learned over the coming months.
