If debugging is the process of removing software bugs then programming must be the process of putting them in most cases the bugs.
we introduce are harmless but sometimes they can cause us to lose hundreds of millions of dollars in a few minutes crash airplanes and spaceships and kill people today I want to tell you some stories about the most damaging hacks and bugs throughout history and explain software security concepts that every developer should know :
There are billions upon billions of lines of code in production today around 50 million lines for Microsoft Windows and over 2 billion lines across all Google services and within all this code we have vulnerabilities that have either not yet been discovered or not yet been fixed. These are known as zero-day vulnerabilities because, as a developer, you have zero days to get it fixed when a hacker decides to attack this vulnerability it’s known as a zero-day exploit
Story of hacking a Chinese company Equifax
Remember that one time Equifax had exposed the credit reports of a hundred and fifty million people that wasn’t the result of a zero-day exploit it was the result of a known bug and Apache struts that had already been fixed weeks ago. Apparently from China had been scanning the web for servers with this vulnerability they hit the mother lode with Equifax and extracted sensitive information over the next 76 days this the breach has cost the company over a billion dollars and could have been prevented by installing a simple security patch being hacked by a known vulnerability is not uncommon at all in the fact you’re likely shipping code with a lot of known vulnerabilities right now.
I didn’t mean to say that the last part it was somehow injected into this video back in 2005 a guy named Sammy used an exploit known as cross-site scripting to updated users myspace profile with this text within a day it had spread to over a million users it was mostly harmless but they did a rest Sammy can a victim of a felony and worst of all took away his internet for a year cross-site scripting exploit occurs.
How do you avoid cross-site scripting attacks as a developer?
Well, the attacker first needs to save some malicious code on your server so step one is to do some server-side validation of incoming data if it’s surrounded by script tags you might not want to save it. But let’s imagine you fail to sanitize the incoming data then the attacker still needs a way to run that script on the client-side device so the attacker is counting on you to render out the raw HTML of the script. Fortunately, modern front-end frameworks make it really difficult to shoot yourself in the foot in react
For example, if you want to write unsafe code you have to use this dangerously set inner HTML prop just to do so so with cross-site scripting, we have malicious code running on the browser but it’s also possible to run bad code directly on a database.
A story of hacking using SQL injection
let’s go back to 2008 and look at a company named Heartland Payment Systems a company with the highest standards and the most trusted transactions and also a company if that was the target of one of the most elaborate and interesting hacks of all time the attackers first gained access to the company’s databases by using a technique known as SQL injection instead of sending the expected data to the database they sent raw SQL statements and because the data has not validated the database would run this code as if it came from the developers now this particular database contains the information that you would find on the back of a magnetic the strip on a credit card and they use this stolen data to create counterfeit credit cards that actually worked it’s estimated that over a hundred million cards were compromised and hacker Albert Gonzalez was sentenced to 20 years in prison injection attacks similar to this effect many different types of databases.
Is API’s helpful or not?
if you use an ORM (object-relational mapping tool). for your database you should be safe from attacks like this but of course, it’s always a good idea to validate your input before it’s sent to your database another very easy way to create a big problem as a developer is to expose or leak a sensitive API key you can think of a private API key as a username and password and all bundled up into a single string and it allows your servers to securely communicate with paid services like AWS/Google cloud and so on a few years ago I accidentally leaked my AWS API key and it was almost really bad I was using the node SDK for a service that required the API key I hard-coded the API key directly in a source code instead of setting it as an environment variable. Then proceeded to push the source code to a public GitHub Repo a few weeks went by and then all of a sudden I get a notification from AWS that I’ve maxed out my budget. when I logged into my AWS account I had racked up charges of around $5,000 for EC2 instances running all over the world luckily Amazon was nice enough to refund those charges.
But it definitely made me feel like an idiot nowadays automatic scanners can often detect if you have an exposed API key and Email. But GitHub isn’t the only place that you might leak an API key when you include a private key in a client-side web or mobile app a hacker might be able to find it directly in your source code
Now if you do end up with an exposed API key you can fix the problem by simply rolling it to a new value and of course, we’re moving it from any public repository or source code many good API’s will help you minimize the damage by allowing you to assign privileges to a specific API key this allows you to follow the principle of least privilege and only give API keys access to the resources that they actually need that will mitigate the amount of damage that can be done if that key does end up being leaked.
If we look at a major cloud provider like AWS will see that they offer hundreds of different services and they might be used by a company with thousands of employees working on different projects sharing a single API key that has access to everything would be a very bad idea instead, the major cloud providers have a system called i.m which allows you to create groups or roles for your the organization once you’ve created a role can attach a policy to that role to give it accesses a service that it needs implementing fine-grained access control over your data is more important than ever.
A story of Morrison’s supermarket’s employee
In 2016 an employee of Morrison’s supermarkets in the UK stole the private data of over 100,000 employees this the rogue employee did it by simply copying the data onto a USB stick now this is obviously unethical and illegal on the employees part but the company itself is facing a huge lawsuit and the penalties for data, breaches are becoming larger with laws like GDP are in the EU.
What is the CIA triad?
so the bottom line here is to always follow the principle of least privilege when it comes to accessing your customer or employee data in speaking of data. you might come across something called the CIA triad it’s a model for data security that stands for confidentiality integrity and availability generally speaking, you make data confidential by implementing user authentication so only authorized users can access the data integrity it means the data can’t be accidentally modified or deleted without the user’s authorization.
How do you make your data highly available?
In 2018 GitHub survived the biggest DDoS attack or a distributed denial-of-service attack in history it took GitHub down for less than 10 minutes but that’s still a pretty big deal considering how many people around the world depend on GitHub at any given moment a DDoS attack works by flooding a service with so much traffic that it just fails to scale and completely stops working. But smaller sites might not be so lucky in some cases DDoS attacks have been used to shut down service and then request a ransom from the owner.
How do you protect yourself?
well, the simple answer is to be ready to scale and that likely means using a big cloud provider service like Google cloud armor has the bandwidth to handle attacks like this and it can also prevent many other attacks. But At the end of the post, nobody’s application is 100% safe there are likely hackers? out there right now using zero-day exploits that we don’t know about yet and it’s only a matter of time before the next major data breach is in the headlines.