You’ve done it! Congratulations! Your code is nearly perfect and secure, it was tested by a dozen pairs of eyes and money spent on code analyzing software was not in vain. It’s just one final step – let DevOps deploy it and let your customers work with the amazing web site you’ve made.
Next morning you’ve got an email from your boss and he’s not angry. He’s in rage! He’s not impressed with progress you made, but asks a single burning question – what’s that huge white face with stupid mustache he sees instead of a web site?
Your site was defaced overnight. You call DevOps and now it’s your turn to ask questions – guys, what web server do you deploy it on? Is it secure? Do you update it from time to time? Never? Oh …
Web sites do not operate by themselves. They work on top on web servers. Moreover, they use tons of 3rd party libraries, frameworks, databases and other stuff that no one really checks. Some of them are opensource, some are not developed anymore but widely used. Just think of it, some opensource libraries contain code that is 20 years old! And it’s maintained by volunteers. There’s just no way for a company to make everything from scratch! Having this in mind can help you easily understand that making a secure code is not enough. In fact, it’s not even a 10% of the deal.
In all time classic movie, «The Matrix Reloaded», Trinity runs a nmap scanner against some careless electric company to discover a version of ssh that it uses. Luckily for her it had known vulnerability, so she saved the day once again.
(Of course, there’s no such thing as “sshnuke” (Although you can find a pun on a github)
In this example it’s clear that no matter how much money and efforts a company spent on their software, their system was hacked just because ssh component wasn’t updated it time.
I just must give my pardons here (to my wife first of all, since she’s a big fan) – I don’t think that «Matrix Reloaded» is a worthy movie to watch more than once, but this nmap scene is so iconic. Hey, it’s 2003 movie, and the previous hacker movie called «Hackers» (eh?) depicts hacking like this:
And you just can’t get serious when user interface looks like you’re floating through some 3 dimensional city. No wonder that so many young people started learning computers just realized that it wasn’t that exciting (In fact it’s way more exciting for some!)
It doesn’t get any better over years and what I see on television nowadays is hacking with ipconfig and ping commands.
One guy from the tv industry told me once, that they mostly don’t try to show things as they are in real life, but as a viewer imagines them. That explains things a little.
Ok, back to our example. If you can’t get through a web site security, why not look at a web server it runs on. Here’s a scan example. Same old nmap.
I can check version of vsftpd 2.3.4 only to find what is vulnerable and exploitable in a minute. Admin must’ve used ftp to upload files to a web server. So, there’s no need to check anything else – we’re there.
So, what do we do? First of all, you have to answer to the following questions:
- Do you know the exact versions of software packages you’re using?
- Is the software you’re using is still supported?
- Do you scan your system to know vulnerabilities from time to time?
- What about updates? Does it take months to deploy a newer version of the software?
If the answers are mostly negative I’m afraid that your system is vulnerable. Or even already breached but you just don’t know it yet.
To fix things you have to make the answers to these questions above positive! That’s an easy part. Next you have to remove everything that is not used – software, drivers, dependencies, you name it. And finally, you have to establish the patch management process.