How to: Development: How make your project more secure

Being a business-centric hosting provider for e-commerce we serve the mission of creating the environment of the uninterrupted living and continuous growth for each project. That’s why our clients’ security is our main priority. In order to comply with our mission, we accumulate the best industry practices to improve data security and integrity. We take on huge responsibility to create the safest environment for the online business and dedicate a significant part of our time to researching common and new threats and testing our security means and infrastructure.

According to our analysis, the security level maintains hight when hosting service provider and project owner cooperate closely and implement a joint strategy in respect to security. That’s why we prepared a list of three main vulnerabilities (security gaps) that can be used by hackers to harm your business or even destroy it, and want to share with you. Paying attention from business owners’ side to these three points will significantly reduce the chances to have your online store breached and private or financial data stolen.

Development on the production websites

DEV server is meant for raw versions of the product. The software may contain errors and vulnerabilities. If any error/issue occurs on the “dev” project, it can affect “production” website in case they both are on a single server. Plus, development usually leaves lots of impact points and sensitive files exposed.

  • Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. A10:2017-Insufficient Logging&Monitoring
  • Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, “sph” files, modify other users’ data, change access rights, etc. A2:2017-Broken Authentication, A5:2017-Broken Access Control

Most of that called A6:2017-Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

Sensitive information disclosure

Unfortunately, sometimes your development/testing something on the Productions servers. We know it ;)

  • Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, “sph” files, modify other users’ data, change access rights, etc. A2:2017-Broken Authentication, A5:2017-Broken Access Control,
>> phpinfo.php, info.php, test.php, log.txt, error_log, etc.
>> config.local.php.{save,bck,log,lol,old}, backup.zip, old_store/, new_store, etc.
>> sph{1,2,3,4,l,lite}.php, admin.php, adminer.php, etc.

Instead adminer script we recommend using secure installation PHPMyAdmin

Read more:

Old software (ex. outdated CS-Cart and add-ons)

The latest software version is faster, safer and more stable. Upgrade your store or add-ons to protect personal data, rank higher and reduce the number of errors. On the OWASP classification this is A9-Using Components with Known Vulnerabilities. You can check your website to several vulnerabilities via this tool.

Opened default ports

Opened ports can expose a lot of “helpful” information to hackers. Also, it can be exploited by “auto-hackers” aka script kiddies. Anyway, you can check your website to several vulnerabilities via this tool.

  • FTP (21). FTP servers carry numerous vulnerabilities such as plaintext credentials data transport, directory traversals, and cross-site scripting, making port 21 an ideal target. Also, anonymous authentication capabilities. Read more here.
  • MySQL (3306). Remote database connection is an insecure feature :)
  • Redis (6379). Redis in the web is help for DDoS attacks.
  • etc.

---

Hint

If you have a problem, need assistance with tweaks or a free consultation, if you just want to discuss your project with experts and estimate the outcome, if you're looking for a solution that reinforces your online business, we will help. Let us know through MyCloud or email.