21
Practical Web Security Junade Ali (@IcyApril) Lead Developer at Creare, Creare are one of the UK’s largest Digital Agencies for SMEs.

Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Embed Size (px)

Citation preview

Page 1: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Practical Web SecurityJunade Ali (@IcyApril)

Lead Developer at Creare, Creare are one of the UK’s largest Digital Agencies for SMEs.

Page 2: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Creare hosts thousands of websites, facing over 2.5 million security attacks

monthly.

Until recently we did too little at a web application level.

Page 3: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali
Page 4: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Under AttackPrior to us relaunching our brand on the rooftop of Google headquarters in London, we were hit by a

large scale attack.

Page 5: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

So how did we stop it?

Page 6: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Development Standards

• Use vulnerability scanning (WPScan, Vega, etc).

• Enforce secure development (SQL injection/XSS/CSRF protection, secure hashing with bcrypt/PBKDF2 and setting up site-wide SSL).

• OWASP Top 10• For SSL/TLS consider the SSLLabs

standards.

Page 7: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Search WP plugins on wpvulndb.com

Finding vulnerable WordPress plugins before installation.

Page 8: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Turning to Hosting

Web App

Page 9: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Web Application Firewall

• If you run a web application, consider a Web Application Firewall.

• Useful in cases where you are hosting other people’s code.

• For Apache: Mod_Security• For Nginx: NAXSI• Commercial options too: Qualys, Sucuri, etc.

Page 10: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

The First Layer

Web App

WAF

Page 11: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Not a Real Bruteforce

Page 12: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

A Real Bruteforce

Page 13: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

BruteForce Protection• Make your defence aggressive. • Block IPs which make persistent login

attempts.• On Linux: Fail2Ban• Ban repeat offenders with Recidive jail.

Page 14: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

The Second Layer

Web App

Fail2Ban

WAF

Page 15: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Use Specialist Hosting

• Creare is migrating hosting from previous unspecialised web hosts to ones which understand the technology.

• When developing Magento or WordPress we now use specialist PaaS hosts who can offer specialised security.

Page 16: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Hosting Added

Web App

Server Fail2Ban

WAF

Page 17: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Make Tough Friends

Page 18: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

CloudFlare• Low cost (or free!) managed SSL. Free traffic

filtering, CDN and caching.• Pro accounts get Web Application Firewalls

for PHP, Magento, WordPress, etc.• Creare can enable CloudFlare without even

changing name servers.• Creare offers free Railgun: 143% HTML load

time improvement, 90% decrease in TTFB.

Page 19: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Preventing Data LeaksAttempting to view a non-existent SFTP config file.

Page 20: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

SEO Benefits - RankingsA large online retailer’s Google rankings after

having their server hardened, site wide SSL and CloudFlare installed.

Page 21: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali

Slides at: ju.je/leadsec

Web App

CloudFlare

Server Fail2Ban

WAF