Source: Bruce Schneier
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.
When you design, plan, review, write, or modify systems or code you must maintain a security mindset at all times. You must first be aware of the kinds of threats that face your system, who might pose those threats, how those threats might be exploited (for instance, a rival company may want to launch a DoS attack, or an illegitimate user may want to get content without paying for it). Second you must reduce as much as possible the amount of the system that is exposed to those threats (for instance you could put a server behind a firewall or require SSL authentication so that only someone who gets past the wall can even try to find and exploit vulnerabilities). Finally you must use best practices to eliminate common web-specific and other application-specific vulnerabilities from your code.
Of utmost importance is that you absolutely protect models’ and customers’ personally identifying and billing information with the highest possible level of security awareness and precautions. You must also protect against privilege escalation, denial of service, and brute force attack. Access to any privilege within the system must be limited only to those staff members who require the access to perform their duties.
Take care with where and how you store MySQL dumps and source code and the overall security of your workstation. Imagine what might happen if a malicious attacker had a Trojan program running within our office network. Your own workstation must be at least as secure as the public web servers.
Remember that security is about human behaviour as much or more than it is about technology. Do not assume that users will choose secure passwords. Do not assume that users are trustworthy. Do not assume that every layer of your security is bug-free (always have multiple layers of security to minimize the damage from an outer layer being compromised).
All security compromises that lead to a loss of service, a loss of data, or exposure of sensitive information to third parties, must be immediately reported to the CEO. Failure to report a compromise as soon as it is identified will result in termination of your employment. We understand that humans make mistakes and that no system is perfectly secure, but the CEO must be given the opportunity to mitigate any compromise immediately.
Threat modelling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats.
The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services.
One approach to improving information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. All code has a nonzero probability of containing vulnerabilities. By having less code available to unauthenticated users, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage a hacker could inflict once a vulnerability is found.
In web applications there are several types of general threat that you must be aware of and you must always actively defend against. These include:
- Code Injection – Use appropriate escaping or statement preparation techniques to prevent malicious user-supplied data from being inserted into HTML, SQL, or source code. http://en.wikipedia.org/wiki/Code_injection
- Cross Site Request Forgery (CSRF) – Use a user-specific encrypted token in every request that has a side effect. http://en.wikipedia.org/wiki/Cross-site_request_forgery
- Platform Vulnerabilities – Apache or Linux may contain vulnerabilities. They should be kept up to date with the latest patches at all times. Extremely valuable data/services should be kept behind a firewall or SSL protected.