Secure Coding Practices

Secure coding practices are hard. This blog post presents couple of secure coding practices for modern web development.
Coders are usually good at their jobs. They dedicate hours and hours to tune their skills. Little does a typical coder know how they should be coding more securely. When Secure Coding Practices are introduced, people are amazed to find out in how many ways malicious attacker can do harm in their system. This is because coders usually see security as firewalls and user credentials. There’s much more to it than that.
Here’s presentation of layers in modern web application security:

This is not a perfect presentation of security, but gives a rough idea what’s what. You’re sitting inside a really big bubble of layers. You are the first link in the chain. Don’t screw it up.

Snapshot of security threats

Evil Regex in event loop

Node.js is well known event-driven I/O server-side JavaScript environment. It’s very fast and powerful, but it’s got a caveat: If you make http or other operation synchronically, it will prevent all other requests from executing. Usually these situations are handled automatically in various libraries so you really don’t have to think about it too much.
There’s still one nasty situation which can block event loop even though it looks quite innocent:

console.time('taketime');
/^(([a-z])+.)+[A-Z]([a-z])+$/.test('aaaaaaaaaaaaaaaaaaaa!');
console.timeEnd('taketime');

This example introduces Regular Expression Denial of Service (ReDoS) attack. The more letter ‘a’ you give, the more you have to wait.  You can even try this in your browser JavaScript console.
Let’s look at a typical email-validation (email-validation with regular expression itself is a waste of time, since you can’t handle all the cases.):

console.time('taketime');
/^^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/.test('aaaaa!');
console.timeEnd('taketime')

Email-validation above introduces attacking surface for Regular Expression Denial of Service (ReDoS) attack.
Something to look at that will enable ReDoS attack surface:

  • Grouping with repetition,  ( )+
    • Inside repeated group
      • repetition, ( a+ )+
      • alternation with overlapping, ( a|aa )+

There are some tools to test whether your regex expression is vulnerable:

More dirty details about this can be read in https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS.
 

HTTP Parameter pollution

HTTP Parameter pollution is quite overlooked subject. Usually we just get values from request and use them as such. There’s still a caveat that can cause Node.js to crash if there’s no exception mechanism attached.

// POST firstname=Seppo&firstname=Seppo
req.body.firstname
// => ["Seppo", "Seppo"]

By default you were expecting just a string with firstname, but instead you got an array. After you start doing some operations expecting string, you might get type errors (trim() can cause this).
In the worst case you could end up with some really strange looking values in your schemaless NoSQL database.
More details:
https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004)


Mapping and validating request values 

Validating may sound simple, but there’s more to it than checking if something is string, number or email. If your system has some prefilled values in eg. a dropdown menu, you should always make sure that the user has inserted a valid value. This means that you must always use surrogate structure to get final value for your operations.

// POST position=coder
const position = positions[req.body.position]; // can be id, number or even the same value.
fetchJobs(position);

Example above shows that the job position data structure has the final value that should be used in the function call. Never trust the user input.
More information on data validation:
https://www.owasp.org/index.php/Data_Validation


Don’t show your internals

This is too obvious to notice in the day to day life. Most of the coders know that throwing any exception or error trace to the user is bad. Some think it’s ugly, some think it’s revealing too much.
How far we can take this subject? Put on the hat of a attacker and consider what these points reveal about the system:

  • ID 1432 does not exist
    • This gives a hint what type of format your ID’s are. Also now you know the field name.
  • table ‘users’ does not exist
    • Do not tell if a table does not exist. Now the attacker knows your table name.
  • user ‘Seppo Sorsa’ does not exist
    • Never reveal if a user does not exist in your system.
  • password for ‘Seppo Sorsa’ is incorrect
    • Now the attacker knows that this user does exist in the system.
  • user does not exist
    • Same as above
  • incorrect password
    • Same as above

 
Better alternatives

  • An error occurred.
  • User does not exist or password incorrect
  • Error 3451, Please use this as a reference when contacting customer support.
    • (Then give list of error codes and explanations to customer support.)

These seem like minor things, but all these reveal attacking surface to the malicious attacker. So they get a starting point where dig deeper.
More information about attacking surface:
https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
 

NodeGoat learning environment

There’s simple learning environment for Node.js where you can learn OWASP TOP10 security risks: https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project
What you need is: Docker (https://docs.docker.com/installation/)  and Docker Compose (https://docs.docker.com/compose/install/)
1.Get sources

git clone https://github.com/OWASP/NodeGoat.git
cd NodeGoat

 
2.Change the db config in config/env/development.js to point to the respective Docker container.

db: "mongodb://mongo:27017/nodegoat",

 
3. Build and run

docker-compose build
docker-compose up

 
4. Open up learning tutorial and have fun!

http://localhost:4000/tutorial

 

Avatar

Jari Timonen

Linkedin profile

Do you know a perfect match? Sharing is caring

High growth companies Gofore and Leadin will merge into a leading digitalisation company. Expert in digital services Gofore, acquires service design expert Leadin. With the merger, Finland will have a new service company that operates internationally and helps its clients in a comprehensive manner with digital transformation. The acquisition also opens up new career opportunities for the more than 300 employees of the combined companies.
“During the coming years, all services will be redesigned – the speed of development is very fast at the moment. Organisations that can renew themselves in as agile a manner as possible and understand changing customer needs will be the winners. From the very first discussions, the merger of Gofore and Leadin seemed like a natural choice. We are merging Leadin’s international business operations and design competence with Gofore’s development and change consulting services. With the merger, we will have a unique group of people designing the future,” says Timur Kärki, CEO of Gofore.

A fast growing new company – complementary clientele and competence

Gofore is known for its strong position as an agile information system supplier and consultant for the public sector. Leadin’s clientele consists of domestic and foreign businesses in the sectors of engineering, services and technology. Both companies are characterised by enthusiasm and constantly looking for ways to benefit their clients.
“Our ways of meeting clients’ needs and focusing on people as the core of the change design process are consistent with Gofore. Together we will be a strong partner for all clients regardless of sector when they wish to produce added value from user insight through design and digital development,” says Topi Koskinen, CEO at Leadin.
With the merger, the companies’ clients will receive a more comprehensive service than ever before in their digital change process. Gofore’s state-of-the-art technology competence and ability to manage and steer large projects combined with Leadin’s business-oriented planning and user interface expertise will make the company even stronger. Through Leadin’s international presence and clientele in, for example, the United Kingdom and Germany, the companies can expand and offer all of their services globally.
Gofore’s turnover was EUR 18.6 million in 2016, and Leadin’s turnover was EUR 4.2 million. Both companies are growing rapidly. This year, target turnover for Gofore is EUR 27.5 million and for Leadin the target is EUR 8 million.
Gofore will acquire all shares in Leadin from the current major shareholder, BCM Consulting, and all other shares will be exchanged for shares in Gofore. The acquisition price will not be made public. The acquisition is expected to complete at the end of May 2017

Everything starts from company culture

Digitalisation requires new modes of operation and the ability to adapt to constant change. The company’s agility derives from the company culture, at the core of which is our personnel. People are at the centre of everything, both at Gofore, winner of the Great Place to Work Finland 2017, as well as at Leadin, both when developing the client’s working culture and, in their own daily work.
“Our operations are based on satisfied employees. We want to be the best place to work now, and also in the future. The acquisition opens a door for our personnel to work on international projects and the possibility to expand their expertise in the field. We welcome Leadin’s people with joy and want them to become a part of our great and open work community,” Timur Kärki says.
The companies’ personnel will move into the same premises as soon as possible. Leadin will continue under its own name for the time being, and business operations will continue without disruption. The rapidly growing combined company aim to recruit 170 employees during this year, increasing the number of personnel in their offices in Finland, the United Kingdom and Germany.
Further information:
Gofore, CEO Timur Kärki, +358 40 828 5886, timur.karki@gofore.com
Leadin, CEO Topi Koskinen, +358 40 517 0039, topi.koskinen@leadin.fi


Gofore
‘s expertise is in designing and developing digital services. Our mission is to make the world better through digitalisation and by revolutionalising work culture. Gofore designs and builds digital services together, engaging with customers. We are excited about the new digital age, which continually offers the exhilaration of new experiences. More than 220 in number, we are located in Helsinki, Jyväskylä and Tampere, Finland, and this year we are striving for EUR 27.5 million in revenue. Gofore was chosen as the best place to work in Finland in the Great Place to Work 2017 survey. The company was established in 2001. www.gofore.com 

Leadin is an international expert in user experience planning and production, and service design, producing outstanding added value for their clients based on user insight. We are especially motivated by challenging user environments, new technologies and a demanding user base. Our operations are guided by genuine enthusiasm and the desire to provide our clients with the best possible user experience. Leadin employs approximately 80 experts in Helsinki, Tampere, Swansea and Munich. The company’s turnover was EUR 4.2 million in 2016, a third of which came from outside Finland. This year, Leadin aims for a turnover of EUR 8 million. The largest owner of the company, BCM Consulting, is owned by the founders of Leadin, Juha Lehikoinen and Jaakko Lehikoinen. Further information: www.leadin.fi

Gofore Oyj

Gofore Oyj

Do you know a perfect match? Sharing is caring

My reminiscences about investing start from the early 1980’s. Those days my father checked yesterday’s stock prices from Helsingin Sanomat newspaper. If there was some significant new information he might made a call to Helsingin Osakepankki’s branch office and gave an assignment.
Thirty years have totally changed access to information and markets. But one thing has not changed. Private bankers are still making the same old questions. What is your investing period? How much can you bear risk? And the main question: how much you are going to give us and how soon? Well, back in 1980s there was no questions demanded by the authorities (like: “are you taxable in US?”). But those don’t create much value added indeed.
Times are changing however. At last I’d like to say. For this blog entry I explored one of the first robo-advisory services in Finland.
Results for my profile? ETF (Exchange-Traded Fund)-portfolio where allocation is 18 % fixed income (bonds) and 82 % common stocks. In common stocks biggest single investment would go to European large companies and next to large US value companies. I think portfolio is all right. Just now I would be even more reluctant to bonds. But in a long term they are of course part of all portfolios.
And the cost for building up and maintaining (re-balancing) this kind portfolio? 0,95 % per year in the beginning and 0,45 % per year when portfolio has grown up to 100 000 EUR or more. There is a mention that ETF’s have a cost and it is included for their daily price calculation. Exact figures are not mentioned but as a devoted index-investor I know that ETF-cost are somewhere between 0,05 % to 0,50 % per year. So the total costs will be somewhere between 0,50 % – 1,45 % per year. Not bad at all.
Only weakness is that minimum amount needed to start is 5 000 EUR. Of course this is much less than what traditional private bankers are asking. But basically if everything is automated could this be even less? From this point of view I happen to know that there are some fees that authorities encash per customer based. So the cost structure is not fully flexible.
To make a real test I asked help from a person with no background in IT or finance. She got an ETF-portfolio where allocation is 53 % fixed income and 47 % common stocks. And a clear recommendation to select higher level of risk when her investment period is 20 years. User experience is quite nice she taught. Only odd thing for her was a request to take a photograph of some ID (eg. drivers licence) and upload it. This was first time she got that kind of request and was a little bit doubtful to do that.
But regarding to substance she made two fundamental questions. “I can see that there are 12 different ETFs where my money would go. But what is ETF and why just those ETFs are selected”. Yes, there is a FAQ, but she really wanted to have more information before she would make a money transfer. Her other question was: “what if one should not invest at all?” If one has plenty of consumer credits or some other reason why there is no excess at all to invest. Is there a threat that this will not be noticed if there is not any personal conversation? This second trial showed that there is still some demand for personal service. Not in a traditional way but as a supplementary service.
But how about those private bankers? Do they have any future?
My answer is: not in the same form as they used to have. Automated portfolio management is one clear example how digitalization destroys old professions but also creates different kinds of new ones.

Avatar

Niko Sipilä

Niko is an experienced project manager and a senior consultant. He his core competencies are pre-studies, enterprise architecture, requirement analysis, system specifications, procurements and deployments. Niko’s domains are insurance, banking and public sector and his largest projects has dealt with systems for financial administration, HR and bank treasury.

Do you know a perfect match? Sharing is caring