--- It would be highly appreciated if you could share some information about the web practices followed by your company you work for at the moment or what you could say as good web practices? Thanks guys ! Regards, Tejas (Nirvan) Pagooah CTO at Graphics Temple Ltd, Twitter <http://www.twitter.com/Nirvanknight> / Facebook <http://www.facebook.com/Nirvanknight> / LinkedIn <http://mu.linkedin.com/pub/tejas-pagooah/45/27b/a9a/> -----Original Message----- From: S Moonesamy [mailto:sm+mu_at_elandsys.com] Sent: Tuesday, February 17, 2015 1:20 PM To: Mohammad Nadim; Tejas Pagooah (Nirvan); mauritius-internet-users_at_lists.elandnews.com Subject: Re: Web practices Hi Nadim, Nirvan, At 13:14 15-02-2015, Mohammad Nadim wrote: >We are seeing many local websites being compromised mainly because the >off-the-shelf CMS (Joomla, Drupal, Wordpress, etc) that were used are >not patched when patches are provided following report of a security >hole. Moreover inexperienced web-masters tend to install plugins >without being aware whether they are vulnerable or not. The www.onelove.mu <http://www.onelove.mu> web site is still compromised. A webmaster would not know what to do as the person may not have the training to fix the problem. The local web sites which have been compromised are probably run by similar webmasters. >Web agencies or freelances are not to be blamed entirely. Well we have >amateurs providing services for as low at Rs 6K - surely they do not >provide a professional service. On the other hand, clients do not want >to pay for good service provided by competent web agencies / >freelancers. When they are reluctant to pay for a normal service, how >do you expect them to pay for a maintenance contract ? Hence, in the >absence of a maintenance contract, patches are not applied, resulting >in the clients' websites being compromised. If my customers' web sites were compromised they would blame me. There will always be amateurs and professional services selling web sites for as low as Rs 6000. It is difficult for the clients to determine whether they are getting something good for what they are being charged. >Developers should secure a maintenance contract from their clients and >monitor the websites they have developed, and apply patches when >released. > >If web-agencies / developers do not want to monitor the websites they >have developed (or find it time consuming, or maybe don't find it >profitable - they cannot afford additional >resources: man power, etc), then they should not use off-the-shelf CMS. >They should develop an in-house CMS / framework-mashup and use it in >their projects. Since their codes are not publicly available, there is >less chance of hackers finding vulnerabilities in the applications (v/s >publicly available codes). I'll comment about vulnerabilities. The person(s) who compromised r1.mu, lekip.mu, lasentinelle.mu and coffeeatmcb.mu last month did not read the source code of the applications to compromise those web sites. >Not releasing an in-house CMS / framework-mashup does not make the >codes secure and hacker-proof. >When developing something like that, it is best to follow the >guidelines provided by Open Web Application Security Project (OWASP). Companies might not be interested to pay for a maintenance contract where the developer only apply patches. The work being provided would have to be more than that for it to be considered as useful. Have the commonly used CMS followed the OWASP guidelines? I do not believe that they have. This is where a company might decide to implement internal guidelines to ensure that they are delivering something reliable to the customer. As other companies do that, they end up sharing a set of common practices. That helps the customer to determine whether the Rs 6000 web site is of an good quality or a low quality web site. Web practices are not only about CMS vulnerabilities. Some companies may not wish to have a web site which only works with Mozilla Firefox. 3.1 and above. Some companies may not wish to see their customer list made public. At 21:45 16-02-2015, Tejas Pagooah \(Nirvan\) wrote: >Exploits are readily available online, an example can be: >http://packetstormsecurity.com or http://www.exploit-db.com/ ; you just >need to find the version of CMS (Wordpress, Vbulletin, IPB, Joomla etc >) the victim is using and you test the exploit, if the system is >vulnerable, the attacker just hack into the system. Yes. > From my expertise in the field of development, be it in web or desktop > applications, I always stress in testong the application before we go > live. By tests, I mean doing basic penetration testings (even if it > doesn't conform to the PTES [1] ) or searching the list of > vulnerabilities affecting the system and try to mitigate the level of > risk by applying the needed patched or updates. That's one way to be > sure that you won't have security issue but the system won't be 100% secure. > >In the past few years, I have seen developers and companies being lazy >people (I was one), they just develop a system and then deliver it to >the client as it is! I have also been lazy. :-) >Let's assume you are using Joomla 3.2 for a particular project and >just before you launch the website, Joomla 3.3 is out. What do you do? >You upgrade the system? What about the deprecated functions and >variables? Will it affect the system if you upgrade which will result >in breaking the website? That's another problem. I did this mistake in >the past but with time I understood that I was wrong and I don't want >other developers to do this mistake again. >Before you develop a system, have a look at the announcements of CMS >development team, there are usually beta versions outs, if there is a >beta version – It is sure that there will be an update soon ! That's >another way to stay secure. >Keep up-to-date with the latest news. > >I don't specialize into system administration actually but I do seek >advice from professionals about how to stay secure. Another way to hack >into an application is penetrating into the server itself. Since I >don't specialize in system administration, I outsource the work to >someone who has better expertise in this rather than doing everything >by myself (Don't be greedy ! Pay people who can do it better than you) >and when there will be a problem, you won't be able to answer. > >Another way to stay secure is to invest into security, you want a good >system, you need to pay for that and don't expect a good work if you >don't want to spend – clients problem: why does it cost that much? > >Quoting from somewhere: > >Unfortunately developers of most applications are provided objectives >based solely on functionality and very little if any security measures >are taken into account. After all, if it's not written into their job >description, why should it concern them? This in turn produces >applications containing multiple vulnerabilities ranging from >weaknesses around input validation, error handling, session management, >and failure to implement proper access controls. Sometimes it takes an >exploited vulnerability resulting in a data breach or application >defacement for developers and managers to realize the impact of having >these weaknesses in their application. >According to the SANS (SysAdmin, Audit, Network, >Security) Institute Top 20 Internet Security Attack Targets, every week >hundreds of vulnerabilities are being reported in… web applications,and >are being actively exploited. >The number of attempted attacks every day for some of the large web >hosting farms range from hundreds of thousands to even millions. >That's another discussion. > >[1] Penetration Testing Execution standards. I like the "don't be greedy" advice. :-) I would ask other persons to do part of a work as they can do it better than me. I perform a review of the components being used for a project. I leave some of the details to the other persons I work with. I like that part of the work to be done correctly. :-) One of the problems on the system administration side is the lack of documentation. My experience of applying security updates is that it can break a web site. Some system administrators do not know how to fix that; they avoid applying updates. I prefer not to rely to much on penetration testing as it is more about auditing. Some companies do very basic tests and call that penetration testing. The problem at the moment is that there isn't a minimum when it comes to security. From http://www.defimedia.info/live-news/item/66744-le-rezo-otayo-victime-d-une-a ttaque-informatique.html "La plupart des logiciels antivirus sont à même de les détecter et de les supprimer des ordinateurs des utilisateurs." Do you build a web site and advise your client to tell their customers to only visit the web site if they are running an antivirus? It is a very amateurish way to handle a security-related problem. The objective of having this discussion is so that we can agree on at least some minimum security as it is in the interest of the users in Mauritius and it may also be in the interest of companies doing professional work. Regards, S. MoonesamyReceived on Wed Mar 11 2015 - 21:06:10 PST
This archive was generated by hypermail 2.3.0 : Wed Mar 11 2015 - 21:09:01 PST
