Saturday, January 16, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Technology Companies

Think your apps are secure in the cloud?

March 19, 2019
in Technology Companies
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Credit: IBM

Learn how to safeguard your software

You might also like

The Eclipse Foundation’s move to Europe will bring open standards and open source together – IBM Developer

Kafka Monthly Digest – December 2020 and 2020 in review – IBM Developer

Learn new skills while working on volunteer projects – IBM Developer


Comments

The cloud is not secure. Developers know through experience that software
and servers get hacked thanks to bad code and insecure Internet
connections to remote servers and data centers. You can compare using the
cloud to having valuables that are locked up in a suitcase in a parking
lot. By nature, both are susceptible to attacks. In this article, we
explain the reasons why the cloud is not secure, but we also examine ways
to mitigate any insecurities by illustrating some Django examples through
the inception of BugHeist.

“There is a lot of flawed JavaScript, PHP, and Python code
that create holes into which hackers inject malicious JavaScript and
SQL. Delivered through email attachments, links and browsers, this bad
code crawls into cloud-based databases where hackers can execute
remote commands to steal proprietary data.”

Why your apps might be weak

Many software developers and security professionals point to the lack of
secure software that is built into the Software Development Life Cycle
(SDLC) as a huge reason why there are so many software vulnerabilities.
Add tight deployment deadlines, and you have the culprits that contribute
to the epidemic of bugs that infiltrate internet-connected platforms and
devices that consumers and companies use, which exist in computer
networks, data centers, cloud computing platforms, and mobile
applications.

There is a lot of flawed JavaScript, PHP, and Python code that create holes
into which hackers inject malicious JavaScript and SQL. Delivered through
email attachments, links and browsers, this bad code crawls into
cloud-based databases where hackers can execute remote commands to steal
proprietary data.

Many developers fail to secure their data by forgoing Secure Sockets Layer
(SSL) certification and validation in their application development
practices to release an application as soon as possible. The SSL protocol
includes a certificate that ensures files that are housed on your web
server are encrypted when they are sent back and forth over the Internet
to visitors’ browsers by using Hypertext Transfer Protocol Secure (HTTPS).
Without HTTPS and SSL protection, hackers can conduct man-in-the-middle
attacks by intercepting and monitoring data packets through the routers in
their LAN and WAN networks.

They can also hijack data through an Address Resolution Protocol (ARP)
spoof. This works when hackers search for specific IP and Media Access
Control (MAC) addresses on a local network. Once they identify their
targets’ IP and MAC addresses, ARP will grab and impersonate them sending
data packets to unsuspecting users from their routers.

Over the last several years, APIs became integral to application
development. They add features and functionality to websites and mobile
applications automatically, but they are also insecure. Do you test the
third-party APIs you added to your scripts to check whether they allow bad
actors in your software environment? Many APIs fail to include methods
like OAuth and two-factor authentication to safeguard data traveling to
and from cloud-based servers and data centers. OAuth uses tokens to
validate and secure data between the client and server, and it’s open
source.

Many applications compromise user data as a result of an organization’s
flawed software security policy. Last year, we created a
collaborative work group through a third-party cloud collaboration tool
for Alpha One Labs, a Brooklyn maker space where we created prototypes for
an LCD hat, laser scrolling sign, 3D POV display, smart recycling bin and
a robotic food exchange. The email addresses in this work group were
exposed publicly and getting scraped and spammed. The cloud company was
contacted about this issue, but it took approximately 2 to 3 months before
the company created a feature that secured the addresses and made them
private.

Frustrated with this cloud company and various other
organizations that failed to address their software security issues
(allowing them to remain active for weeks or months after being notified),
an application that uses Django called BugHeist was born. It rewards individuals for reporting and
fixing software and hardware bugs that they find on the Internet, which
range from security weaknesses to design, performance and functionality
issues.

Why Django?

We considered a number of frameworks/platforms when he had the idea of
building BugHeist, including C++, Java, and PHP. After we analyzed these
frameworks, we decided that Django would make the most sense since it
protects data from the most common software-hacking attacks by embedding
secure code in its framework.

Since BugHeist’s launch in July 2016, the site has helped approximately
100 companies identify and address over 350 software bugs and issues. For more
details about Django’s open source framework, visit djangoproject.com.  
To learn more about BugHeist’s open source platform, you can visit the GitHub
repository at https://github.com/owasp/blt.

Let’s look at some specific Django examples regarding cloud security
issues. Django enables you to activate software that will protect your
site from the following security problems: Cross-site request forgery,
cross-site scripting, SQL injection, clickjacking, insecure SSL/HTTPS, and
unprotected host header validation. We’ll go over these security risks in
detail below.

Cross-site request forgery (CSRF)

CSRF happens when a browser that contains malicious code steals data from a
web server and sends it to a fake site. Another instance can be a website
that houses an A frame, image tag, or when other bad code triggers an
insecure HTTP request to a fraudulent website.

Because the initial browser request was approved by the website’s HTTPS/SSL
protocol with embedded authentication tokens, the web server verifies and
executes the malicious codes’ commands as if it was the user’s intentional
browser request. In reality, the malicious code altered the original code
in the browser’s initial request, engineering it to steal unauthorized
data while it masquerades as the unsuspecting user.

Activating Django’s CSRF middleware, ensures that forms with POST elements
are free from code that create requests to steal unauthorized data from
your site.

Here is the sample code that protects BugHeist from cross-site request
forgery. It is included by default in Django’s Middleware Classes section:
django.middleware.csrf.CsrfViewMiddleware

To ensure that attackers don’t steal proprietary information through code
that’s injected into BugHeist’s “Post” HTML and PHP/Python, we coded the
following CSRF Token tag:

<form class="form" action="/issue/"/method="post" enctype="multipart/form-data">
{% csrf token %}

Cross-site scripting (XSS)

Hackers inject malicious code into websites and mobile applications by
using this method of cross-site scripting. This code is embedded into an
unsuspecting user’s browser, which retrieves unauthorized data and sends
it to suspicious parties.

Stored XSS is when the malicious code scripts are housed on the website
servers and is executed upon a browser’s request to the back end. When a
user sends a browser request that is embedded with scripts that steal code
from servers, this is called Reflected XSS.

By default, Django escapes or protects variables in your software
environment, unless they are marked explicitly as “safe.”

Check out our library for more articles on SQL injection here.

SQL injection

If developers fail to sanitize their input code when they develop
applications for a SQL database, it gives individuals the perfect vector
to grab proprietary data from the back end.

Hackers simply look for a vulnerable location in the code and insert SQL
queries that return data they can sell on the Dark Web or use to blackmail
organizations, like hospitals or government agencies.

When you use Django, you have SQL injection defenses through built-in
Object Relational Mapping (ORM). Another software layer that uses
object-oriented programming instead of SQL code, ORM gives you a method to
access, write, and update secure queries over and over again. Because it
allows you to write queries in the programming languages with which you
are familiar, ORM helps speed up back-end updates.

Clickjacking

In this scenario, users click buttons or links on sites and mobile
applications that disguise malicious code that redirect their actions
without their knowledge.

Django automatically detects and protects websites from suspicious iframe
requests through a middleware option that prevents browsers from rendering
scripts that contain this bad code. It also features PBKDF2 and bcrypt,
encryption standards that cannot get cracked by using rainbow tables with
decrypted password hashes. PBKDF2 and bcrypt also take a significant
amount of time to compute or create since they use a salt function to
further randomize data, making it challenging for hackers to brute force
them.

Insecure SSL/HTTPS

Website and mobile application servers that don’t have HTTPS and SSL
architecture invite hacking attacks. Without this protocol, users’
browsers will not be able to confirm a secure connection between it and
the server because they will not be able to verify the site’s domain name,
organization that owns the site, and other credentials that are encrypted
in a certificate that is issued by a third-party certificate
authority.

To protect your website or mobile application, all of your connections
should feature a HTTPS header in every page to which your site connects.
HTTPS is part of an Internet security protocol that incorporates an HTTP
Transport Security (HSTS) policy. This policy enables developers to
register their certificates with browsers so that they are preloaded with
HTTPS credentials they can validate on demand. Also, any HTTP request sent
to your web application will be converted into an HTTPS connection with
Django.

The following code shows the SQL and JavaScript code that protects the
database from SQL injection and insecure HTTP/SSL requests in Django:

if ‘DATABASE_URL’  in os.environ:
DEBUG = False
EMAIL_HOST = ‘smtp.sendgrid.net’
EMAIL_HOST_USER = os.environ.get ( ‘SENDGRID_USERNAME ’, ‘blank’)
EMAIL_HOST_PASSWORD = os.environ.get (‘SENDGRID_PASSWORD’ , ‘blank’)
EMAIL_PORT = 587
EMAIL_USE_TLS = True
If not TESTING:
     SECURE_SSL_REDIRECT = True
 
GS_ACCESS_KEY_ID = os.environ.get ( ‘GS_ACCESS_KEY_ID’ , ‘blank’)
GS_SECRET_ACCESS_KEY = os.environ.get ( ‘ GS_SECRET_ACCESS_KEY’ , ‘blank’)
GS_BUCKET_NAME = ‘bhfiles’
DEFAULT_FILE_STORAGE = ‘storages.backends.gs.GSBotoStorage’
GS_FILE_OVERWRITE = False
GS_QUERYSTRING_AUTH = False
MEDIA_URL = “https://bhfiles.storage.googleapis.com/”
 
ROLLBAR =  {
‘access_token’ : os.environ.get ( ‘ROLLBAR_ACCESS_TOKEN’ , ‘blank’),
‘environment’ : ‘development’ if DEBUG else ‘production’ ,
‘root’ : BASE_DIR,
‘exception_level_filters’:  [
(Http404, ‘warning’ )
]
}
import rollbar
rollbar.init (**ROLLBAR)
 
# local dev needs to set SMTP backend or fail at startup
if DEBUG:
EMAIL_BACKEND =  ‘django.core.mail.backends.console.EmailBackend’
 
ACCOUNT_EMAIL_REQUIRED  =  True
ACCOUNT_USERNAME_REQUIRED  =  True
ACCOUNT_EMAIL_VERIFICATION  =  “optional”

# Honor the ‘X-Forwarded-Proto’ header for request.is_secure( )
SECURE_PROXY_SSL_HEADER = ( ‘HTTP_X_FORWARDED_PROTO’ , ‘https’)

Become a better application security
developer

Developers continue to create more web applications thanks to the demands
of the market, and the fact that cloud-connected applications on a
multitude of devices are integrated in individuals’ work and home lives,
which makes software security crucial.

Here are some tips for developers who want to improve their software security
skills:

  • Participate in bug bounties where you share the software and hardware
    bugs you find on websites, mobile applications and computer networks
    for cash that come from companies that sponsor these events.
  • Work with other developers and product managers to develop an
    application security policy for your organization.
  • Compete in ethical hackathons and Capture the Flag (CTF)
    events.
  • Contribute your programming skills to an open source project.
  • Attend industry conferences that are organized by OWASP and other
    organizations where the latest secure software developments are
    discussed.
  • Join in-person and online events and forums where best practices in
    secure coding practices are shared.
  • Study application security through online and in-person courses
    offered by organizations like the SANS Institute, The International
    Information System Security Certification Consortium (ISC)², the
    International Council of E-Commerce Consultants (EC-Council) and other
    software industry associations.

Downloadable resources

Related topics

Credit: IBM

Previous Post

Firefox 66 is out: Block on auto-playing video with sound, Windows Hello support

Next Post

The Hottest Job Of The 21st Century(Data Scientist!)

Related Posts

Istio 1.8 focuses on usability and upgrades – IBM Developer
Technology Companies

The Eclipse Foundation’s move to Europe will bring open standards and open source together – IBM Developer

January 15, 2021
Six courses to build your technology skills in 2021 – IBM Developer
Technology Companies

Kafka Monthly Digest – December 2020 and 2020 in review – IBM Developer

January 14, 2021
Six courses to build your technology skills in 2021 – IBM Developer
Technology Companies

Learn new skills while working on volunteer projects – IBM Developer

January 8, 2021
Six courses to build your technology skills in 2021 – IBM Developer
Technology Companies

IBM Advance Toolchain for Linux on Power 13.0-3 released!

January 6, 2021
Six courses to build your technology skills in 2021 – IBM Developer
Technology Companies

Following the data science methodology – IBM Developer

January 6, 2021
Next Post
The Hottest Job Of The 21st Century(Data Scientist!)

The Hottest Job Of The 21st Century(Data Scientist!)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Readers’ Writes: Machine Learning | Readers Writes
Machine Learning

Readers’ Writes: Machine Learning | Readers Writes

January 16, 2021
AI set to replace humans in cybersecurity by 2030, says Trend Micro
Internet Security

AI set to replace humans in cybersecurity by 2030, says Trend Micro

January 16, 2021
Facebook builds A.I. to predict likelihood of worsening Covid symptoms
Machine Learning

Facebook builds A.I. to predict likelihood of worsening Covid symptoms

January 16, 2021
What Can You Do With Python in 2021? (Python Real Life Applications) | by Doga Ozgon | Dec, 2020
Neural Networks

What Can You Do With Python in 2021? (Python Real Life Applications) | by Doga Ozgon | Dec, 2020

January 16, 2021
ON24 files for an IPO
Digital Marketing

ON24 files for an IPO

January 16, 2021
This new ransomware is growing in strength and could become a major threat warn researchers
Internet Security

Ransomware attacks now to blame for half of healthcare data breaches

January 15, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Readers’ Writes: Machine Learning | Readers Writes January 16, 2021
  • AI set to replace humans in cybersecurity by 2030, says Trend Micro January 16, 2021
  • Facebook builds A.I. to predict likelihood of worsening Covid symptoms January 16, 2021
  • What Can You Do With Python in 2021? (Python Real Life Applications) | by Doga Ozgon | Dec, 2020 January 16, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates