The Recap: Security Trilogy Open Sessions

3.9 million dollars. 

That’s how much data breaches have cost the businesses worldwide last year. 

What is the starting point to prevent security breaches from happening? 

You. To be more precise, the individual and collective awareness of just how fatal cybersecurity breaches can be is the beginning of any action plan.

Software engineers are responsible for writing secure code, testing software, and monitoring information systems for potential risks, security gaps, and suspicious or unsafe activities. By taking a security-conscious approach, we’re ensuring that best security practices are being followed, thus minimizing the potential damage.

As the world is constantly facing new cybersecurity threats and attacks, we wanted to share a glimpse of our in-house daily security conversations including tips, tricks, and resources, with the wider community through a series of webinars.  

Our Security Trilogy consisted of 3 webinars led by 3 highly experienced Mistral professionals:

  1. Penetration Testing Basics by Dino Selimbašić, Chief Technology Officer
  2. Common Web Security Issues by Goran Jotanović, Senior Developer
  3. Handling Data with Care by Jasmin Azemović by Chief Information Security Officer

Over 80 guest techies followed the sessions closely and got a chance to connect with the speakers afterward.

Here are the main takeaways of all 3 sessions:

Penetration Testing Basics

Our CTO made an informative intro regarding key tips and tricks of cybersecurity, focusing on pen testing aka ethical hacking. Pen testing can involve the attempted breaching of any number of application systems (APIs, frontend/backend servers) to uncover vulnerabilities.

He covered web app security penetration testing commonly used to augment a Web Application Firewall (WAF). Why is this important? Insights provided by the pen testing can be used to fine-tune your WAF security policies and patch detected vulnerabilities.

Here are a few points to consider:

  • When it comes to web developers, fixing the vulnerabilities should start from the ground floor; the developer him/herself
  • Run an easy web penetration test with the tool OWASP ZAP (Zed Attack Proxy)
  • For training and teaching purposes you should use an environment that already has security vulnerabilities. You can use OWASP Juice Shop since it’s easy-to-install, is self-contained, and self-healing. Find OWASP Juice Shop git here.
  • ZAP has installers for Windows, Linux, and Mac OS/X. There are also Docker images available on the download site listed here.
  • Pro tip: Store your session to be able to rerun it after you fixed issues
Common Web Security Issues

‘What happens in Vegas ends on… well, Youtube.’ This quote was a starting point of Goran’s presentation. He emphasized the most common (and biggest) security breaches of giants across industries that damaged their reputation (Capital One, eBay, Yahoo). Intellectual property and financial losses were just part of the consequences.

Here’s how to properly address common web security issues:

  • Be vigilant about what you’re logging
  • Never directly render any user input as HTML
  • Don’t reveal sensitive info in error messages
  • Never respond to web requests with more data than absolutely necessary
  • Always implement Cross-Site Request Forgery (CSRF) protection
  • Always use CSP whitelists
  • Never let malformed data enter the system
  • Ensure that every API endpoint ONLY responds to authorized and authenticated clients
  • ALWAYS use HTTPS (and never mix HTTP and HTTPS)

Recommended resources for exploring:

Common Weakness Enumeration (CWE)

SonarQube – Get Started with Static Code Analysis!

Handling data with care

Never underestimate the attacker’s desire to find the information they want about you or your company. In order to handle sensitive data properly, Jasmin revealed the insider processes behind a security breach – how does the breach happen? (see the image below)

In order to avoid the horrid consequences of a data security breach, we have to avoid an ad hoc approach at all costs. Be prepared to invest time and resources to properly protect your data, whether it’s private or public. 

Here are the steps to understand and undertake to handle your data with care:

  • Design data layer with security and privacy in your mind
  • Assess the risk
  • Implement a threat modeling approach
  • Classify the data
  • Anonymize analytics data
  • Encrypt data at the rest and motion
  • Learn continuously

Additional resources you can use:

Securing SQL Server

Regardless of the nature of information, and whether the data is relevant to personal or business matters, attackers are continually and consistently trying to obtain and misuse it. 

Our industry, as the first line of defense, needs to commit to building ethical, bullet-proof products. The world relies on our strong sense of responsibility and sharp expertise.

Until next time, stay safe and secure.