Through the course of Web Security TC2017 we reviewed many topics related to security not only applied to web but also, to any system.
In this blog I would like to explain how these topics were useful when developing and planning our Semestre i Project and of course, their application on it.
Learning applied to the project
CIA (Confidentiality, Integrity and Availability)
- Confidentiality: We took privacy very serious and this is why we encrypted every password and login credentials for our teachers, directives and students.
- Bcrypt: We applied this hashing function to hash our password in the database. This is a standard library, open source, easy to use and of course, a powerful tool to keep real information safe.
- JSON Web Tokens: Instead of using normal sessions, we applied JWT to detect authenticated users using the HS256 signing algorithm.
- Protected views: All views, which need authentication are protected and no one can get access unless the have a valid token.
- Integrity: We setup a RESTful API with JWT validations to prevent access to the data using direct API manipulation (POST, DELETE, GET and PUT).
- To maintain the information safe and protected we took the following measures:
- SSL: When taking the project to production, we will be using OpenSSL to encrypt the communication between the client and server.
- SSH over a private_key: Only the administrators with the .key file will be able to access to the server through SSH. With this, we prevent bruteforce attempts under the port 22 which is very common.
- User permissions: All users can only access to their own API levels. For example, a Teacher can’t manipulate a student’s data if this student is not in the same group in which the Teacher was assigned.
- Software updates: The project is running Node.js and all the required libraries under their latest stable versions to prevent any vulnerability on them causing data’s compromise.
- Availability: This rule will apply when releasing the software in a production server.
- Scalable hosting: We will use AWS EC2 service to setup the server. By using Amazon, we can increase the server power and space without migrating anything. We pay on demand.
- Firewall setup: We won’t allow remote access to the database, the only port allowed for public access will be 80 and 443 and any other will be restricted by IP.
- Weekly backups: We could have a EBS volume in AWS to create snapshots of the server in order to maintain the information saved.
- To maintain the information safe and protected we took the following measures:
Personal learning
Since this class, I started using 1Password as my password manager. I was bit scared about taking this step and trusting a company to manage my password but as Ken said once: “You will always need to trust someone”.
I also learned about keybase.io, which is an amazing web and mobile app to send free end-to-end encrypted file and messages. By the way, open source.
Finally, I really found interesting all the video blogs about security. Amazing sources to stay updated about the topic by security experts.