Computing security and how it applies to STATs

Through the course of Web Security TC2017 we reviewed many topics related to security not only applied to web but also, to any system.

In this blog I would like to explain how these topics were useful when developing and planning our Semestre i Project and of course, their application on it.

Learning applied to the project

CIA (Confidentiality, Integrity and Availability)

  • Confidentiality: We took privacy very serious and this is why we encrypted every password and login credentials for our teachers, directives and students.
    • Bcrypt: We applied this hashing function to hash our password in the database. This is a standard library, open source, easy to use and of course, a powerful tool to keep real information safe.
    • JSON Web Tokens: Instead of using normal sessions, we applied JWT to detect authenticated users using the HS256 signing algorithm.
    • Protected views: All views, which need authentication are protected and no one can get access unless the have a valid token.
  • Integrity: We setup a RESTful API with JWT validations to prevent access to the data using direct API manipulation (POST, DELETE, GET and PUT).
    • To maintain the information safe and protected we took the following measures:
      • SSL: When taking the project to production, we will be using OpenSSL to encrypt the communication between the client and server.
      • SSH over a private_key: Only the administrators with the .key file will be able to access to the server through SSH. With this, we prevent bruteforce attempts under the port 22 which is very common.
      • User permissions: All users can only access to their own API levels. For example, a Teacher can’t manipulate a student’s data if this student is not in the same group in which the Teacher was assigned.
      • Software updates: The project is running Node.js and all the required libraries under their latest stable versions to prevent any vulnerability on them causing data’s compromise.
    • Availability: This rule will apply when releasing the software in a production server.
      • Scalable hosting: We will use AWS EC2 service to setup the server. By using Amazon, we can increase the server power and space without migrating anything. We pay on demand.
      • Firewall setup: We won’t allow remote access to the database, the only port allowed for public access will be 80 and 443 and any other will be restricted by IP.
      • Weekly backups: We could have a EBS volume in AWS to create snapshots of the server in order to maintain the information saved.

Personal learning

Since this class, I started using 1Password as my password manager. I was bit scared about taking this step and trusting a company to manage my password but as Ken said once: “You will always need to trust someone”.

I also learned about keybase.io, which is an amazing web and mobile app to send free end-to-end encrypted file and messages. By the way, open source.

Finally, I really found interesting all the video blogs about security. Amazing sources to stay updated about the topic by security experts.

 

The importance of CIA: confidentiality, integrity and availability

In network security, there are 3 fundamental concepts called accessibility, confidentiality, and integrity. If any of the 3 is not present, the other 2 can’t be either achieved.

Taken from https://www.checkmarx.com/2016/06/24/20160624the-importance-of-database-security-and-integrity/

Availability

We need to make sure that all our systems and networks stay up and running properly 24/7. This term involves everything related to capacity, performance, and software/hardware failure.

We must be prepared to prevent any data loss with regular backups stored in more than one place, we need trained people capable of restoring the information in a fast and secure way, our system infrastructure must be redundant so in case we have any hardware, software or power supply failure we can prevent any service interruption.

Availability also involves the correct firewall and infrastructure setup in our network to prevent any kind of network stress attack, which is a very common threat now. DDoS attacks are probably the best example of existing stress attacks on the Internet that can easily affect our network if we don’t have the right setup to mitigate it. Many data centers already offer to their client’s in-house protection, but the best way to protect by not depending on any third-party is having our firewall with the correct rules closing any incoming traffic not necessary and of course, hiding our server public IP using CloudFlare.

Integrity

All the information shared and sent between our systems and network can’t be modified or taken without our permission.

Hackers are a threat and the best way to prevent them is being prepared. We need to control the access to our information with securely hashed passwords, activation of access logs to analyze weird traffic, system firewalls and restricting the access giving least privileges to users and database access.

Confidentiality

Confidentiality means protecting the information to prevent unauthorized access for disclosure or access to it by any individual or system.

In nowadays, online confidentiality is more compromised than ever. Security experts job in companies are having a huge demand simply because the Internet is growing exponentially and therefore, online threats too.

We can see hackers treating big companies about releasing private information such as movies and executive documents, we can see many websites like WikiLeaks publishing confidential information about governments anonymously and I could end up with many examples of how confidentiality can be a nightmare if we don’t take it seriously.This is why as a Software Engineer, we need to prevent this starting with our network, then our system and finally, under our application. Data encryption is a must today. We need to hide sensitive information in a way the intruders can’t decode it.

As a Software Engineer, we have the obligation to implement safety measures starting at the network level, then at the system level and finally, under the final application or service. One way to do this is by using data encryption, which is a must today. We need to hide sensitive information in a way the intruders can’t decode it.

Conclusion

We need to make sure availability, confidentiality and integrity work together to keep our network, systems, and applications secure.