Securing your Software

K

Kiopa_Matt

Banned
May 13, 2011
5,216
52
0
How do you guys go about securing your software / sites? And please don't preach about some awesome ORM, and that's all you need, because you're an idiot if you believe that.

I was recently contacted by an "ethical hacker", who informed me of an SQL injection vulnerability in my software. Graciously, I thanked him, threw a little money his way, and am now trying to bring him on as a contractor. Naturally, this got me thinking as to how to further venture down this path.

For one, where do you find quality "ethical" hackers that are available for contract work? I mean, guys that will actually report the vulnerabilities they find, and not just keep it secret for themselves to exploit later. And I don't want some guy with a CompSci degree from CMU. I want some Russian who learned his skills on the black market. Considering how unconventional my life is, you'd think I'd be more black hat than I am, but I'm actually pretty straight and narrow, so have no idea where to find decent, trustable hackers. Ideas?

Then I was thinking of maybe a week-long competition. Setup a cheap dedicated box, split it into a bunch of VPSs, install the software on each VPS, and ask people to rape the hell out of it. Rate vulnerabilities found on a scale of 1 - 4 points (1 = low, 4 = severe), and whoever gets the most points, gets a decent cash prize of $1500, or whatever.

Then maybe just a program that offers simple cash bonuses to anyone who finds and reports a vulnerability. Amount depends on how severe that vulnerability is.

Or what do you guys do to secure your software? Telling me you're intelligent enough to do it yourself is retarded, so don't do it.
 


use prepared statements?
 
Really man, this is why I preach using popular frameworks and libraries with a lot of maintainers rather than writing all my own shit on principle.

1) There's collective interest in keeping things secure because so many people depend on the code
2) There are a ton of really smart people who will flesh out all the edge cases I would never have thought of
3) If something does get exposed, those same really smart people will fix it quickly and I will benefit.

It's really dumb to build mission critical stuff yourself on principle unless it's for academic purposes. Build on the shoulders of giants instead.
 
I agree and disagree with you dchuk.

I like frameworks and they certainly have their place. Being maintained by several people is certainly helpful as well.

This however also opens the door to security exploits that are available for the world to see. Some frameworks even have a footprint, like error pages, etc.. I watched a hacker go through a few sites and identify exactly what framework / system they were using in seconds. Leaking information is your worst enemy.

IMHO If you follow best practices for validating data before putting it in the db and you are religious about that, then only you and people that work on your system will know how it works. If you don't leak any info to the user, it's very hard to figure out how to hack your code. I'm not saying it's impossible just a lot harder.
 
nickCR said:
I agree and disagree with you dchuk.

I like frameworks and they certainly have their place. Being maintained by several people is certainly helpful as well.

This however also opens the door to security exploits that are available for the world to see. Some frameworks even have a footprint, like error pages, etc.. I watched a hacker go through a few sites and identify exactly what framework / system they were using in seconds. Leaking information is your worst enemy.

IMHO If you follow best practices for validating data before putting it in the db and you are religious about that, then only you and people that work on your system will know how it works. If you don't leak any info to the user, it's very hard to figure out how to hack your code. I'm not saying it's impossible just a lot harder.
Click to expand...

Security through obscurity is a terrible way to go about protecting anything actually valuable. XSS and SQL injection attacks don't care what framework or platform you're running on. This is exactly the situation Kiopa_matt is facing, and it's because he probably has at least some of the security through obscurity mentality in his blood. Look how that is playing out, he's now getting postcards from ethical hackers...

Rails 4 had like tens of thousands of pull requests from thousands of people. I could never personally recreate the system they've built or match the security levels they've attained.
 
Ok, so the majority don't take any pro-active steps to ensure the security of their software / sites, and for the most part rely on 3rd party software / frameworks / developers. Fair enough.

I'm not going to get into the framework debate, as that's just a circular discussion that will never lead anywhere. However, you constantly have guys like Nginx, Apache, mySQL, Redhat, Microsoft, and so on releasing security patches to their software, and this is what our stuff runs on. If you think your sites / software are 100% secure because you're using some 3rd party popular framework, then that's simply delusional.

Security is a constant thing, and I was just curious what, if any, pro-active steps you guys take to lock down your stuff.
 
If you're looking for quality pen-testers, I'd just go to where ever pen-testers hang out and start asking around. Looking for communities built around the keywords 'pen testing' and 'backtrack' would be where I started.
 
Kiopa_Matt said:
Ok, so the majority don't take any pro-active steps to ensure the security of their software / sites, and for the most part rely on 3rd party software / frameworks / developers. Fair enough.

I'm not going to get into the framework debate, as that's just a circular discussion that will never lead anywhere. However, you constantly have guys like Nginx, Apache, mySQL, Redhat, Microsoft, and so on releasing security patches to their software, and this is what our stuff runs on. If you think your sites / software are 100% secure because you're using some 3rd party popular framework, then that's simply delusional.

Security is a constant thing, and I was just curious what, if any, pro-active steps you guys take to lock down your stuff.
Click to expand...

There's no such thing as 100% secure. The obvious answer is keep packages up to date. How did you fix the SQL injection? And are your self-hosted users going to instantly install that fix?
 
Kiopa_Matt said:
Ok, so the majority don't take any pro-active steps to ensure the security of their software / sites, and for the most part rely on 3rd party software / frameworks / developers. Fair enough.

I'm not going to get into the framework debate, as that's just a circular discussion that will never lead anywhere. However, you constantly have guys like Nginx, Apache, mySQL, Redhat, Microsoft, and so on releasing security patches to their software, and this is what our stuff runs on. If you think your sites / software are 100% secure because you're using some 3rd party popular framework, then that's simply delusional.

Security is a constant thing, and I was just curious what, if any, pro-active steps you guys take to lock down your stuff.
Click to expand...

Using software/frameworks that are actively maintained and relied upon by many coders is about as pro-active as you can get. Again, there is a large group of people who depend on these frameworks being secure, so they will proactively maintain it with that in mind.

Security patches are a *good thing*, it means people are watching and fixing code.

Are you arguing that the custom stuff you've written is more secure because it's not as popular?
 
dchuk said:
Are you arguing that the custom stuff you've written is more secure because it's not as popular?
Click to expand...

lets say custom stuff is more secure trought blind sqlis [since theres no exploit for script kiddies to run bots] but if theres dedicated attack, then theres bigger chance theres hoe that somebody used and u wont even notice.
im up for premade frameworks, u can do ur 'custom' secures on it etc and thats better than looking for holes in plain new script.
 
eliquid said:
all you need to do is strip slashes and turn globals off
Click to expand...

+1 basically what i do, make sure all the forms, inputs, GETs, POSTs are secure. good security starts with good programming and also locking servers down tightly in the first place.

pick up a book on hacking and have a quick browse through then write a good sanitize function for your inputs
 
itchy said:
+1 basically what i do, make sure all the forms, inputs, GETs, POSTs are secure. good security starts with good programming and also locking servers down tightly in the first place.

pick up a book on hacking and have a quick browse through then write a good sanitize function for your inputs
Click to expand...

Until someone finds out your handmade function forgot something, that frameworks etc had covered years ago. It happened to Kiopa_Matt, it could happen to you.
 
mattseh said:
Would an ORM have prevented this SQL injection? Can you share it?
Click to expand...

Actually, I jumped the gun on this thread, and he has yet to prove himself. He did send some sensitive data though to prove himself, which I now know how he get. That was a server issue which I over looked.

He told me about the other "vulnerability", but it's just not true, so I'm not sure what he's talking about.

Nonetheless, this little episode got me paranoid about this stuff now, so will have to setup something. $500 cash for every decent sized vulnerability found, or something.

dchuk said:
Are you arguing that the custom stuff you've written is more secure because it's not as popular?
Click to expand...

No, I'm saying if the big boys like Microsoft and Apple can't keep security vulnerabilities out of their software, and you still have banks, airlines, government depts, and so on being hacked into, then it's pretty naive to believe your software is 100% secure because you're using a popular framework.
 
itchy said:
+1 basically what i do, make sure all the forms, inputs, GETs, POSTs are secure. good security starts with good programming and also locking servers down tightly in the first place.

pick up a book on hacking and have a quick browse through then write a good sanitize function for your inputs
Click to expand...

What I said was a troll post, and you good sir paid the toll
 
You must log in or register to reply here.
Top Bottom
Back