< Back

Security Blog: OWASP

December 23, 2016

Security is an important but often neglected issue for early stage startups. Resources are frequently tied up in development, iterations, marketing and growth, rather than building a secure infrastructure.

Placing a low priority on security issues is especially concerning where money is involved. As a FinTech platform, you must convince your customers, your partners, banks and regulators that your platform is secure. 

Over the next few blog posts I’ll be sharing some security insights that I’ve learned over the years, with an emphasis on FinTech platform specific issues. 

Before I begin, we all need to accept an unfortunate truth: No one can guarantee 100% security. An example of this is the recent DDOS attack on Dyn. Major websites like Spotify, Netflix and Github were brought to their knees by an attack on one of their service providers. Unless you’ve built everything in house, from servers to DNS, and you don’t use any external services or infrastructure, you’re vulnerable.  

That being said, we can and should focus on the things we can control, namely: our code and configurations. For everything else, we’ll just have to trust that we’ve done our best in selecting the most secure service provider possible.

Everything I know about security boils down to two things:

Don't Trust User Input

Really, though. Don’t trust user input. You never know who is on the other side. It could be a valid user, but it could also be a highly trained HTTP magician who can extract sensitive information or inject anything into request headers.

Every few years, OWASP (Open Web Application Security Project) releases a list of the 10 Most Critical Web Application Security Risks.  If you’re not familiar with OWASP, they’re an online community of the most talented good guys involved in security.  An updated is slated for 2017 so let's go over the most current list which was released in 2013:

A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS0

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Components with Known Vulnerabilities

A10 - Unvalidated Redirects and Forwards

Did you notice that seven of these top ten vulnerabilities can be exploited by a user’s malicious inputs alone?!  These include Injection, Broken Authentication and session management, XSS, IDOR, Missing functional level access control, CSRF and unvalidated redirects.

The only defense against these seven is input validation. Validate user input for JavaScript to avoid XSS, validate your database query for SQL injection, validate your forms for CSRF.

You don’t have to reinvent the wheel when implementing input validation. Frameworks like Django or RoR come with built in tools to mitigate your risk. Simply fire off a few of their functions and you’re off to a good start.

Even PHP has functions to help, despite it being considered one of the more insecure languages. For example:  To ensure your user’s JavaScript isn’t executed or saved in a database, all you need is htmlspecialchars(). I’ll go into more detail on PHP in a future post.

Make sure everything is properly configured (and updated!)

In addition to validating user information, ensuring proper configurations and updating existing software is just as important as writing secure code. This brings us to the last three of the OWASP Top-10 list: ‘Security misconfiguration’, ‘Sensitive data exposure’ and ‘Using components with known vulnerabilities’. 

If exposing your server versions and names (in response headers or 404 pages) doesn’t sound like a security issue, do a google search for “Metasploit Framework”. There are tons of CVE (Common Vulnerabilities and Exposures) publicly available. 

At Synapse we provide free security audits for OWASP Top-10 as part of our on boarding process for new platforms and while maintaining existing customer accounts. We do this because it’s the right thing to do -- not only for your platform, but also for the protection of end-user data. While this does not guarantee 100% security, it does prevent many commonly identified security vulnerabilities. If you are one of our customers and have questions about  your security audit, don’t hesitate to reach out to us.

Further reading:

1. OWASP Top 10: https://www.owasp.org/index.php/Top_10_2013-Top_10

2. 2016 Dyn cyberattack: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack

3. CVE: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack

4. PHP security: http://php.net/manual/en/security.php

5. Django security: https://docs.djangoproject.com/en/1.10/topics/security/

Manish Bhattacharya

Security @ Synapse

read more posts >