BASIC SECURITY FOR DEVELOPER
Security is a costly and complex issue. Almost every system has vulnerabilities (both software and hardware); hackers can use these vulnerabilities to attack the system.
Ensuring the security system is the responsibility of many parties: Sys admin, network, manager, and developer. Because I don’t specialize in security, I am not familiar with configuring the system, installing firewalls, etc., so I will not talk about this array. Instead, I will approach you with the security aspect from a developer perspective.
The knowledge in this series is fundamental and easy to learn, but they will be beneficial, helping you avoid “silly, basic” security mistakes when coding. Whether you code C or C ++, Java C #, or PHP, you will learn some useful things through this series.
It is the responsibility of the developer to ensure that the code he writes does not contain security errors (Do not leave it as Lotte Cinema’s friends!). In this series, we play the role of a hacker to hack our system. Through this, we will learn about the standard security holes when coding and how to fix them.
Some issues mentioned in the series (Will be updated later):
- The dangers of using HTTP. Why use HTTPS to transfer data?
- How dangerous is the XSS security hole?
- Cookie storage — Unbelievably harmless
- Hide server information — Avoid the eyes of people and bad guys
- SQL Injection — A security hole
- Insecure Direct Object Reference — Hide your head
- Cross-Site Attack — Spectacular tricks
- User management — Think easy to eat but not simple
Most of these security bugs have been prevented in the framework. However, many websites still suffer from several errors because of the silly or negligence of the developer. Therefore, watch the series and try to apply this knowledge to the code to avoid getting these errors.
This is a security series for developers, not hackers. The knowledge in the series helps you to code, to help you fix bugs, not to help you attack other systems or scam users.
No need to prepare too many complex “toys,” you just need some necessary software as follows:
- Add-on EditThisCookie: Used to play around and edit cookies.
- Fiddler: This software is a web-proxy, which helps you check the HTTP requests from the machine to the server, measure performance, correct security errors, simulate Man In The Middle attacks, etc.
Some other tools will be introduced later.
Before teaching martial arts, the master always told his disciples: “Studying martial arts is to strengthen the body, to practice life, not to bully the weak. Before starting the series, I would like to recommend the same thing: Learning about security to build better security systems, to help other methods, not to hack or sabotage.
For ethical reasons, if errors are found in other systems, you should notify the administrator rather than sabotage. The line between “understanding the vulnerability” and “destroying the system” is very fragile with essential systems. You could be prosecuted for jail time for your asshole to bloom but not play: v.
This series follows the Hack Yourself First course, Web Security OWASP Top 10 on Pluralsight, and some other sources. This series has subtitles, so it is quite easy to learn, you can quite try to learn English.