Upload
junade-ali
View
1.055
Download
2
Embed Size (px)
Citation preview
Practical Web SecurityJunade Ali (@IcyApril)
Lead Developer at Creare, Creare are one of the UK’s largest Digital Agencies for SMEs.
Creare hosts thousands of websites, facing over 2.5 million security attacks
monthly.
Until recently we did too little at a web application level.
Under AttackPrior to us relaunching our brand on the rooftop of Google headquarters in London, we were hit by a
large scale attack.
So how did we stop it?
Development Standards
• Use vulnerability scanning (WPScan, Vega, etc).
• Enforce secure development (SQL injection/XSS/CSRF protection, secure hashing with bcrypt/PBKDF2 and setting up site-wide SSL).
• OWASP Top 10• For SSL/TLS consider the SSLLabs
standards.
Search WP plugins on wpvulndb.com
Finding vulnerable WordPress plugins before installation.
Turning to Hosting
Web App
Web Application Firewall
• If you run a web application, consider a Web Application Firewall.
• Useful in cases where you are hosting other people’s code.
• For Apache: Mod_Security• For Nginx: NAXSI• Commercial options too: Qualys, Sucuri, etc.
The First Layer
Web App
WAF
Not a Real Bruteforce
A Real Bruteforce
BruteForce Protection• Make your defence aggressive. • Block IPs which make persistent login
attempts.• On Linux: Fail2Ban• Ban repeat offenders with Recidive jail.
The Second Layer
Web App
Fail2Ban
WAF
Use Specialist Hosting
• Creare is migrating hosting from previous unspecialised web hosts to ones which understand the technology.
• When developing Magento or WordPress we now use specialist PaaS hosts who can offer specialised security.
Hosting Added
Web App
Server Fail2Ban
WAF
Make Tough Friends
CloudFlare• Low cost (or free!) managed SSL. Free traffic
filtering, CDN and caching.• Pro accounts get Web Application Firewalls
for PHP, Magento, WordPress, etc.• Creare can enable CloudFlare without even
changing name servers.• Creare offers free Railgun: 143% HTML load
time improvement, 90% decrease in TTFB.
Preventing Data LeaksAttempting to view a non-existent SFTP config file.
SEO Benefits - RankingsA large online retailer’s Google rankings after
having their server hardened, site wide SSL and CloudFlare installed.
Slides at: ju.je/leadsec
Web App
CloudFlare
Server Fail2Ban
WAF