What will the developer do (Was: Web practices)

From: Tejas Pagooah \(Nirvan\) <"Tejas>
Date: Thu, 12 Mar 2015 01:05:44 +0400

Hello everyone.
Well, this concern an old topic in the MIU (Mauritius Internet Users)
Mailing list which is about “Web Practices”. I am mailing you as major
stakeholders/developers in web agencies in Mauritius to know more about the
web practices followed by your company.

--- EXTRACT OF ORIGINAL MESSAGE ---
On 31 January 2015 at 02:27, S Moonesamy <sm+mu_at_elandsys.com
<mailto:sm+mu_at_elandsys.com> > wrote:
Hi Nadim,
The screenshot at http://www.elandsys.com/~sm/calaw-mu-compromised.png was
taken in July 2014. The web site has been compromised once again. There
are other web sites in Mauritius which have encountered similar problems.
It may be due to the lack of information about web practices.
Could you please introduce yourself and share some information about the web
practices followed by the company you work for?
Thanks,
S. Moonesamy
---
It would be highly appreciated if you could share some information about the
web practices followed by your company you work for at the moment or what
you could say as good web practices?
Thanks guys !
Regards,
Tejas (Nirvan) Pagooah
CTO at Graphics Temple Ltd,
Twitter <http://www.twitter.com/Nirvanknight>  / Facebook
<http://www.facebook.com/Nirvanknight>  / LinkedIn
<http://mu.linkedin.com/pub/tejas-pagooah/45/27b/a9a/> 
-----Original Message-----
From: S Moonesamy [mailto:sm+mu_at_elandsys.com] 
Sent: Tuesday, February 17, 2015 1:20 PM
To: Mohammad Nadim; Tejas Pagooah (Nirvan);
mauritius-internet-users_at_lists.elandnews.com
Subject: Re: Web practices
Hi Nadim, Nirvan,
At 13:14 15-02-2015, Mohammad Nadim wrote:
>We are seeing many local websites being compromised mainly because the 
>off-the-shelf CMS (Joomla, Drupal, Wordpress, etc) that were used are 
>not patched when patches are provided following report of a security 
>hole. Moreover inexperienced web-masters tend to install plugins 
>without being aware whether they are vulnerable or not.
The www.onelove.mu <http://www.onelove.mu>  web site is still
compromised.  A webmaster would not know what to do as the person may not
have the training to fix the problem.  The local web sites which have been
compromised are probably run by similar webmasters.
>Web agencies or freelances are not to be blamed entirely. Well we have 
>amateurs providing services for as low at Rs 6K - surely they do not 
>provide a professional service. On the other hand, clients do not want 
>to pay for good service provided by competent web agencies / 
>freelancers. When they are reluctant to pay for a normal service, how 
>do you expect them to pay for a maintenance contract ? Hence, in the 
>absence of a maintenance contract, patches are not applied, resulting 
>in the clients' websites being compromised.
If my customers' web sites were compromised they would blame me.  There will
always be amateurs and professional services selling web sites for as low as
Rs 6000.  It is difficult for the clients to determine whether they are
getting something good for what they are being charged.
>Developers should secure a maintenance contract from their clients and 
>monitor the websites they have developed, and apply patches when 
>released.
>
>If web-agencies / developers do not want to monitor the websites they 
>have developed (or find it time consuming, or maybe don't find it 
>profitable - they cannot afford additional
>resources: man power, etc), then they should not use off-the-shelf CMS. 
>They should develop an in-house CMS / framework-mashup and use it in 
>their projects. Since their codes are not publicly available, there is 
>less chance of hackers finding vulnerabilities in the applications (v/s 
>publicly available codes).
I'll comment about vulnerabilities.  The
person(s) who compromised r1.mu, lekip.mu, lasentinelle.mu and
coffeeatmcb.mu last month did not read the source code of the applications
to compromise those web sites.
>Not releasing an in-house CMS / framework-mashup does not make the 
>codes secure and hacker-proof.
>When developing something like that, it is best to follow the 
>guidelines provided by Open Web Application Security Project (OWASP).
Companies might not be interested to pay for a maintenance contract where
the developer only apply patches.  The work being provided would have to be
more than that for it to be considered as useful.  Have the commonly used
CMS followed the OWASP guidelines?  I do not believe that they have.  This
is where a company might decide to implement internal guidelines to ensure
that they are delivering something reliable to the customer.  As other
companies do that, they end up sharing a set of common practices.  That
helps the customer to determine whether the Rs 6000 web site is of an good
quality or a low quality web site.
Web practices are not only about CMS
vulnerabilities.  Some companies may not wish to have a web site which only
works with Mozilla Firefox. 3.1 and above.  Some companies may not wish to
see their customer list made public.
At 21:45 16-02-2015, Tejas Pagooah \(Nirvan\) wrote:
>Exploits are readily available online, an example can be: 
>http://packetstormsecurity.com or http://www.exploit-db.com/ ; you just 
>need to find the version of CMS (Wordpress, Vbulletin, IPB, Joomla etc 
>) the victim is using and you test the exploit, if the system is 
>vulnerable, the attacker just hack into the system.
Yes.
> From my expertise in the field of development, be it in web or desktop 
> applications, I always stress in testong the application before we go 
> live. By tests, I mean doing basic penetration testings (even if it 
> doesn't conform to the PTES [1] ) or searching the list of 
> vulnerabilities affecting the system and try to mitigate the level of 
> risk by applying the needed patched or updates. That's one way to be 
> sure that you won't have security issue but the system won't be 100%
secure.
>
>In the past few years, I have seen developers and companies being lazy 
>people (I was one), they just develop a system and then deliver it to 
>the client as it is!
I have also been lazy. :-)
>Let's assume you are using Joomla 3.2 for a particular project and 
>just before you launch the website, Joomla 3.3 is out. What do you do?
>You upgrade the system? What about the deprecated functions and 
>variables? Will it affect the system if you upgrade which will result 
>in breaking the website? That's another problem. I did this mistake in 
>the past but with time I understood that I was wrong and I don't want 
>other developers to do this mistake again.
>Before you develop a system, have a look at the announcements of CMS 
>development team, there are usually beta versions outs, if there is a 
>beta version – It is sure that there will be an update soon ! That's 
>another way to stay secure.
>Keep up-to-date with the latest news.
>
>I don't specialize into system administration actually but I do seek 
>advice from professionals about how to stay secure. Another way to hack 
>into an application is penetrating into the server itself. Since I 
>don't specialize in system administration, I outsource the work to 
>someone who has better expertise in this rather than doing everything 
>by myself (Don't be greedy ! Pay people who can do it better than you) 
>and when there will be a problem, you won't be able to answer.
>
>Another way to stay secure is to invest into security, you want a good 
>system, you need to pay for that and don't expect a good work if you 
>don't want to spend – clients problem: why does it cost that much?
>
>Quoting from somewhere:
>
>Unfortunately developers of most applications are provided objectives 
>based solely on functionality and very little if any security measures 
>are taken into account. After all, if it's not written into their job 
>description, why should it concern them? This in turn produces 
>applications containing multiple vulnerabilities ranging from 
>weaknesses around input validation, error handling, session management, 
>and failure to implement proper access controls. Sometimes it takes an 
>exploited vulnerability resulting in a data breach or application 
>defacement for developers and managers to realize the impact of having 
>these weaknesses in their application.
>According to the SANS (SysAdmin, Audit, Network,
>Security) Institute Top 20 Internet Security Attack Targets, every week 
>hundreds of vulnerabilities are being reported in… web applications,and 
>are being actively exploited.
>The number of attempted attacks every day for some of the large web 
>hosting farms range from hundreds of thousands to even millions.  
>That's another discussion.
>
>[1] Penetration Testing Execution standards.
I like the "don't be greedy" advice. :-)  I would ask other persons to do
part of a work as they can do it better than me.  I perform a review of the
components being used for a project.  I leave some of the details to the
other persons I work with.  I like that part of the work to be done
correctly. :-)
One of the problems on the system administration side is the lack of
documentation.  My experience of applying security updates is that it can
break a web site.  Some system administrators do not know how to fix that;
they avoid applying updates.  I prefer not to rely to much on penetration
testing as it is more about auditing.  Some companies do very basic tests
and call that penetration testing.
The problem at the moment is that there isn't a minimum when it comes to
security.  From
http://www.defimedia.info/live-news/item/66744-le-rezo-otayo-victime-d-une-a
ttaque-informatique.html
   "La plupart des logiciels antivirus sont à même de les détecter et de les
    supprimer des ordinateurs des utilisateurs."
Do you build a web site and advise your client to tell their customers to
only visit the web site if they are running an antivirus?  It is a very
amateurish way to handle a security-related problem.
The objective of having this discussion is so that we can agree on at least
some minimum security as it is in the interest of the users in Mauritius and
it may also be in the interest of companies doing professional work.
Regards,
S. Moonesamy  
Received on Wed Mar 11 2015 - 21:06:10 PST

This archive was generated by hypermail 2.3.0 : Wed Mar 11 2015 - 21:09:01 PST