web design & development: security
DESCRIPTION
Web Design & Development: Security. By Trevor Adams. Topics Covered. About security Why bother? Security Policy Attacks Intrusion Denial of Service Attackers Basics Protecting your mark-up! Hosting Web Site. Security – Why Bother?. Why do we need to think about security? - PowerPoint PPT PresentationTRANSCRIPT
Web Design & Development: Security
By Trevor Adams
Topics Covered
About security Why bother? Security Policy Attacks
Intrusion Denial of Service
Attackers Basics
Protecting your mark-up! Hosting Web Site
Security – Why Bother?
Why do we need to think about security? Would it not limit your freedom of speech? “They don’t wish to read my stuff, I am not
bothered about theirs!”
Security – Why Bother?
BUT! Society has rules!
Without them, society breaks down “They do want to read my stuff and I am, to
tell the truth, interested in theirs!”
Security – Why bother?
So we have an obvious conflict… Freedom of speech or invasion of privacy? Private information on a public network Boring information or access to secrets? This is all security!
Security Policy
Developed often without realising “I do not bother, I have nothing I need to protect.
Anyone can use anything, I really do not care!” This is a security policy: Do Nothing
Which can be completely valid if it fits
Security - Trust
Before considering the Internet or the web, lets consider trust
Everyday life Most of the world is built on trust A thoroughly strange concept
Credit Cards Chairs Taxi Drivers
The humble fiver is actually just an IOU
Security - Attacks
There are many types of attacks Three common types:
Intrusion Denial of Service Information Theft
We shall look briefly at these
Security - Intrusion
The most common form of attack (unofficial) The attacker is able to use resources belonging to
you Most attackers try to use the resources as though
they were legitimate Known as masquerading
Security – Denial of Service
Aimed at preventing use of your own resources Overloading a web site E-mail bombing
Used a lot on the web Easy to do Very little real defence Blackmail, server ransom etc.
Occasionally accidental Holiday mail messages for example?
Security – Attackers
Deliberate forms of attacks might come from these type of attackers Joy riders – bored people amusing themselves Vandals – out to damage the public net Score Keepers – Geek bragging rights Spies – industrial or otherwise Stupidity or accident – usually naiveté
Security - Prevention
This is a tough topic to cover without going into some scary science Anti-virus software – anti information theft and intrusion Network firewalls – anti-intrusion Security policy – general assistance
Toughest attack to defend Denial of service Difficult to defend against an over use of a service on a
public network In the end you have to cover every possibility
Attackers have to find one exploit!
Security and WDD
We have to cover all this?
WDD and Security
Topics introduced are complex Most could encompass a degree in their own right
So what about us? We do HTML right?
All of the aforementioned topics are worth knowing about Some of the topics are for network engineers Some are for programmers It is everyone's responsibility however!
Basics
To some, security is seen as an exotic topic Fun, exciting and cutting edge!
This might be true…(anyone seen Swordfish?)
In reality it starts in a more mundane manner Personal procedures Personal computer protection Good personal security policy
Web sites as a public face
Your web site is a public face Whether personal, commercial or otherwise
It is put up in the world for everyone to see There are various reasons why people want
to mess it up You cannot stop them trying However, you should not make it easy for them
Protect your own mark-up
You create your web sites locally for upload later Take care of your own files
Don’t be uploading modified versions
Viruses and Worms are notorious for modifying files without user knowledge
Good common sense Strong password policy Up to date security software – firewalls, anti-virus Limited access to shared files Do not run your computer as Administrator just to type!
Hosting Hosting your web site on a reliable provider is a must
You need that all important TRUST They should provide a service level agreement upon request
Help you with Denial of Service attacks Make back-ups on your behalf
This is why you pay for hosting Relieves the technical issues of running your own web server
Change your FTP password regularly FTP is a plain-text protocol
Where possible, use Secure Socket Layers (SSL)
Your web site
We have only touched the surface of server-side technology
However, it is worth understanding how your own web site can be the problem
The best host in the world cannot protect against poor web site development
Your web site Any web site that ventures past plain HTML opens
itself to be prodded by ‘no-gooders’ Web applications lack the control of desktop
applications You have no control on who posts to your form
Form submissions could come from pages that you have not designed
Code your pages to be hardened against mal-formed posts Do not process user input as though it is automatically
trusted Many of these techniques will become more
apparent if you continue to study web development and applications
Summary Security is a vast, interesting topic
Think about how it impacts on so many areas of your life and society at large!
Computing security is a small part of security as a topic Understand how private data on a public network is an odd
contradiction Security by obfuscation will not last forever
Just because its not obvious, does not mean nobody will find it! Take good steps and procedures to do your part
Protect your own work as best you can Do not leave the door wide open to information theft