Security is essential to gaining the trust of users. In our modern age, data breaches are very common and information security is very important. Users are starting to select products based on their security and privacy. Security is a huge field on its own, with many companies having their own security engineers and entire companies devoted to working as consultants to examine other companies' security practices. Security is the responsibility of everyone, just like monitoring, incident response, or UX. You should have experts on your staff to direct you, but you must not be ignorant about the topic and defer to your experts for everything.
When building software, or auditing technology for security matters, try thinking about the three following aspects of a piece of technology:
By being on the internet, you are at risk of being attacked. The internet lets anyone connect and send traffic to anyone else. The chance of something being insecure is high, so often people are scanning the internet looking for IP addresses with open ports and vulnerable services. Following are some tips for addressing common issues, and in the References section, you can find more external sources to read and watch to continue your learning.
The following are some basic suggestions for writing code that deals with authentication:
Note that these measures will not guarantee that people will not find a way to get into your system, but they are a good start.
Authorization, as mentioned in the preceding section, is determining whether a user has permission to do what they want to do. Always use authorization with authentication if you can. Just because a user is on your network, or has access to your corporate email system, this does not mean that they should be able to access something. For example, if I walk into an office and plug a computer into a wall socket, or connect to your Wi-Fi from the street, I should not be able to access everything about your organization without also logging in as a user. Also, make sure people are not sharing logins. If the same authentication token means multiple users, you don't actually have authentication because you can't audit which users are doing what. It should be mentioned that adding authorization logging is very useful for knowing which users ask for permission to do which things, and which things you give them permission for.
Determining your risk profile is not a science, but it's something you can think about to determine how paranoid you should be. First, think about an individual person. They have stuff that other people want, such as data or money. Then think about the level of effort an attacker would have to go through to take it from them. If the individual doesn't use two-factor authentication on their bank account, and reuses passwords (or reuses similar passwords), then the possibility that another human could get access to their bank account increases. So, the more valuable a person and their stuff is, the more the risk increases because external actors will target them. Also, the worse a person's security practices are, the more the risk increases because of the chance of automated attacks, and the more the effort required to compromise them decreases.
For example, if I use the same password everywhere for the same email address (for instance [email protected]
and qwerty1234256
are my logins for Gmail, Netflix, and my bank) if any one of those companies is compromised and my email and password are leaked, then future attackers can add that combo to their automated scripts. These scripts can just look at every popular website online and start trying every leaked password and email combo ever. Since my username and password is the same, the chance of me being compromised is higher. If I'm a public figure, such as US political consultant John Podesta, for example, and people know my email address, attackers will try targeting my email with phishing scams (described in the next section) and brute forcing my password with scripts, hoping that they can get into an account of mine and gain valuable information.
A service is just like a person: a service belongs to an organization, which has value. Apple, for example, has trillions of US dollars to its name. Most countries have databases on all of their citizens for tax purposes. Apple is more technically advanced than smaller companies, so its risk decreases, as it has the resources to invest in security. Comparably, Wells Fargo bank has high assets, but it is also technically competent. A credit union, on the other hand, might have a decent amount of money, but not have anyone competent taking care of security.
Phishing is one of the most dangerous and common attack vectors in computer security today. It is the act of taking an email that someone might normally interact with and modifying it to have the user who clicks on it be taken to a fake page, where they type in their credentials for a real site (such as their email password). As an operator, phishing is particularly dangerous, because SREs, DevOps engineers, and system administrators are all common targets for phishing, as they often have credentials for many sensitive systems.
In 2014, Edward Snowden, who famously leaked classified information from the US, revealed that sysadmins were some of the National Security Agency's top targets (https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/). Whether or not that is true anymore, the point remains that people who might target systems might target both your personal and work life to gain access to a system.
These attacks might come as something as innocuous as an email asking you to renew your Netflix subscription or to change your password for your Gmail. They often work because many people use the same password on many accounts. This is why it is often recommended to use a different password on every website and account. It is also why we recommend using MFA where possible, so that even if someone gets your username and password, they will still need your phone or some other device to get access to the account.
13.58.60.192