Guide to User Data Security

[Batu69]

Download this Guide as a PDF

1 Overview

"LinkedIn hack releases 167 million accounts."

"Milwaukee Bucks organization accidentally leaks player financials onto the Internet."

"4.8 Million V-Tech customer's data stolen."

 

These headlines scream: software security is a big deal.

While thinking about software security often creates that sinking, pit-like feeling in your stomach, it pales in comparison to the nausea that strikes when the CEO is on the news explaining that the software system you built leaked private information about users.

 

There's no industry, no organization and no classification of software that is immune to the predatory antics of hackers. Personal information, corporate data, even high-profile social media accounts are under constant attack. Any server system accessible from the Internet is not just a potential target, but an actual target. When Microsoft first starting working on their Windows 2000 software system they wanted to see how well it would resist attack. To test this, they put a few servers onto the network and waited. Within hours the attacks began. We conducted the same experiment in 2016 and it took less than 60 minutes for the first brute force attack to come in from overseas.

 

So as I mentioned before, software security is a big deal.

Security is complex and for many software professionals an incredibly intimidating task that is easy to just ignore as a problem "outside the scope of requirements".

 

However, this is no longer a viable option. Security has moved from a "we'll get to that eventually" feature to a priority. Security must be skillfully factored into designs, projects and timelines.

 

This guide is for the software developer, architect or system administrator who doesn't want to spend a lifetime wading through cryptographic algorithms and complicated explanations of arcane system administration topics to tackle software security. We are a software development company and we have taken everything we know (and have learned through the years) about server and application security and distilled it into this simple yet detailed guide. This is not the sum of all things that could be or have been said about software security, but if you implement each of the concepts below your user data will be highly secure.

 

There are two parts to the guide: Server Security and Application Security. We don't see one as more important than the other, so we strongly encourage readers to digest both sections with equal attention. We provide a series of guidelines and steps to harden the servers/applications and protect against direct attacks. This isn't a "Why" kind of guide; this is a "How" guide. We trust that those interested in the "Why" will find plenty of other resources to satisfy their curiosity. For those of you interested in the "How", let's get started.

2 TL;DR

If you would rather not read our entire security guide (though we suggest you do), check out the Github project created around this guide. This project contains a set of scripts you can execute from your local computer to secure a remote server. The scripts perform most of the steps listed in this guide. The Github project also contains full configuration files based on the configuration detailed below that are deployed to the server by the scripts.

 

NOTE: That is only half of the equation, so you will still want to read the Application Security section of the guide.

Find our Github project here: https://github.com/inversoft/2016-security-scripts

3 The App and Contest

We wrote a simple application in order to ensure everything in this guide worked correctly. Our application is a simple to-do manager. Users can register for an account and log into the application. Once logged in, users can manage their to-do list. Our application uses Node.js, Express and Sequelize for the server-side, Ember.js for the front-end MVC, and MySQL and Passport for the databases. Passport is used to store user data and MySQL is used to store the to-dos.

 

We've open sourced all the code and deployed our application to a couple of Linode servers. We invite you to use our code to help secure your own applications and to also let us know if we've missed any security vulnerabilities.

 

As an added bonus, we're giving away a new 15" fully loaded MacBook Pro to the first person who can breach our security. Since this guide is designed to prevent a hacker from gaining access to the full user database, we will be giving the prize to anyone that can prove access to our user database. More specifically, we aren't giving the prize for single user exploits or denial of service attacks. To win the prize, you must accomplish one of these hacks or something similar:

• Gain access to one of the servers our application is running on without detection.
• Prove an exploit that would allow retrieval of 50% or more of the user data stored in our database (via an application exploit or something similar).

To make your lives easier, we're going to give you the IP addresses of both our servers (even though in a real situation you wouldn't know the IP address of the Database Server). Those IP addresses are:

• Application Server - 192.81.133.144
• Database Server - 45.56.92.87

And finally, the front-end of our application lives here:

 

https://hackthis.inversoft.com

 

If you find an exploit or gain access to our servers, send us an email at [email protected] so we can verify it and send you the MacBook.

As you read through this guide, keep in mind that most of the instructions below are framed as if you were building an application whose architecture is similar to the one that we built.

 

However, any server-side application that uses a database can use any or all of the techniques covered below but you might need to make some tweaks in order to get our instructions to work for your specific application.

 

4 Server Security