7 Security Risks and Hacking Stories for Web Developers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] if debugging is the process of removing software bugs then programming must be the process of putting them in in most cases the bugs we introduce are harmless but sometimes they can cause us to lose hundreds of millions of dollars in a few minutes crash airplanes and spaceships and kill people today I want to tell you some stories about the most damaging hacks and bugs throughout history and explain seven software security concepts that every developer should know if you're new here like and subscribe and check out the full write-up on bioship i/o there are billions upon billions of lines of code in production today around 50 million lines for Microsoft Windows and over 2 billion lines across all Google services and within all this code we have vulnerabilities that have either not yet been discovered or not yet been fixed these are known as zero-day vulnerabilities because as a developer you have zero days to get it fixed when a hacker decides to attack this vulnerability it's known as a zero-day exploit remember that one time Equifax had exposed the credit reports of a hundred and fifty million people that wasn't the result of a zero-day exploit it was the result of a known bug and Apache struts that had already been fixed weeks ago what sorry guys hackers apparently from China had been scanning the web for servers with this vulnerability they hit the mother lode with Equifax and extracted sensitive information over the next 76 days this breach has cost the company over a billion dollars and could have been prevented by installing a simple security patch being hacked by a known vulnerability is not uncommon at all in fact you're likely shipping code with a lot of known vulnerabilities right now if you're a j/s developer go into your project and hit NPM audit it will give you a breakdown of all the different ways you can be hacked via your open source dependencies now there's no reason to panic if you have hundreds of high severity alerts the best way to avoid being hacked is to simply update your packages but if you truly want to understand the flaws that are compromising these packages you should enroll in the enterprise security course from angular Academy it's a ten week long program that will teach you how to confidently build secure web applications you'll find the link in the description and you can use this code to take $50 off the enrollment price using components with known vulnerabilities is one of the most common ways that web applications get hacked but it's also very preventable because as you can see here most of the issues have already been patched and keep in mind this issue isn't unique to JavaScript or NPM all package managers that rely on open source code face similar issues so trust nobody and keep your packages updated but most of all Sammy is my peer oh wait a second I didn't mean to say that last part it was somehow injected into this video back in 2005 a guy named Sammy used an exploit known as cross-site scripting to updated users myspace profile with this text within a day it had spread to over a million users it was mostly harmless but they did a rest Sammy can victim of a felony and worst of all took away his internet for a year a cross-site scripting exploit occurs when the attacker manages to run some JavaScript code on a different users browser there are a few different ways to achieve this but the most common way is for the attacker to save the script in a web applications database the malicious script will then be accessed by a different user that will execute the JavaScript on the client side device and at that point the JavaScript code can submit forms click on buttons on behalf of the logged in user so how do you avoid cross-site scripting attacks as a developer well the attacker first needs to save some malicious code on your server so step one is to do some server-side validation of incoming data if it's surrounded by script tags you might not want to save it but let's imagine you fail to sanitize the incoming data the attacker still needs a way to run that script on the client-side device so the attacker is counting on you to render out the raw HTML of the script fortunately modern front-end frameworks make it really difficult to shoot yourself in the foot in react for example if you want to write unsafe code you have to use this dangerously set inner HTML prop just to do so so with cross-site scripting we have malicious code running on the browser but it's also possible to run bad code directly on a database let's go back to 2008 and look at a company named Heartland Payment Systems a company with the highest standards and the most trusted transactions and also a company if that was the target of one of the most elaborate and interesting hacks of all time the attackers first gained access to the company's databases by using a technique known as SQL injection instead of sending the expected data to the database they sent raw SQL statements and because the data was not validated the database would run this code as if it came from the developers now this particular database contain the information that you would find on the back of a magnetic strip on a credit card and they use this stolen data to create counterfeit credit cards that actually worked it's estimated that over a hundred million cards were compromised and hacker Albert Gonzalez was sentenced to 20 years in prison injection attacks similar to this effect many different types of databases if you use an ORM or object relational mapping tool for your database you should be safe from attacks like this but of course it's always a good idea to validate your input before it's sent to your database another very easy way to create a big problem as a developer is to expose or leak a sensitive API key you can think of a private API key as a username and password and all bundled up into a single string and it allows your servers to securely communicate with paid services like AWS Google cloud and so on a few years ago I accidentally leaked my AWS API key and it was almost really bad I was using the node SDK for a service that required the API key I hard-coded the API key directly in a source code instead of setting it as an environment variable I then proceeded to push the source code to a public github repo a few weeks went by and then all of a sudden I get a notification from AWS that I've maxed out my budget when I logged into my AWS account I had racked up charges around $5,000 for ec2 instances running all over the world luckily Amazon was nice enough to refund those charges but it definitely made me feel like an idiot nowadays automatic scanners can often detect if you have an exposed API key and email you a notification but github isn't the only place that you might leak an API key when you include a private key in a client-side web or mobile app a hacker might be able to find it directly in your source code now if you do end up with an exposed API key you can fix the problem by simply rolling it to a new value and of course we're moving it from any public repos or source code many good API s will help you minimize the damage by allowing you to assign privileges to a specific API key this allows you to follow the principle of least privilege and only give API keys access to the resources that they actually need that will mitigate the amount of damage that can be done if that key does end up being leaked if we look at a major cloud provider like AWS will see that they offer hundreds of different services and they might be used by a company with thousands of employees working on different projects sharing a single API key that has access to everything would be a very bad idea instead the major cloud providers have a system called i.m which allows you to create groups or roles for your organization once you've created a role can attach a policy to that role to give it access to a service that it needs implementing fine-grained access control over your data is more important than ever in 2016 an employee of Morrison's supermarkets in the UK stole the private data of over 100,000 employees this rogue employee did it by simply copying the data onto a USB stick now this is obviously unethical and illegal on the employees part but the company itself is facing a huge lawsuit and the penalties for data breaches are becoming larger with laws like GDP are in the EU so the bottom line here is to always follow the principle of least privilege when it comes to accessing your customer or employee data in speaking of data you might come across something called the CIA triad it's a model for data security that stands for confidentiality integrity and availability generally speaking you make data confidential by implementing user authentication so only authorized users can access the data integrity it means the data can't be accidentally modified or deleted without the users authorization but I think the most interesting question is how do you make your data highly available in 2018 github survive the biggest DDoS attack or a distributed denial of service attack in history it took github down for less than 10 minutes but that's still a pretty big deal considering how many people around the world depend on github at any given moment a DDoS attack works by flooding a service with so much traffic that it just fails to scale and completely stops working you can see in this chart how the inbound traffic suddenly spiked but the server's treated these as legitimate requests and responded with a normal response github is big enough to handle attacks like this but smaller sites might not be so lucky in some cases DDoS attacks have been used to shut down a service and then request a ransom from the owner so how do you protect yourself well the simple answer is to be ready to scale and that likely means using a big cloud provider a service like Google cloud armor has the bandwidth to handle attacks like this and it can also prevent many other attacks that we talked about earlier in the video but at the end of the day nobody's application is 100% safe there are likely hackers out there right now using zero-day exploits that we don't know about yet and it's only a matter of time before the next major data breach is in the headlines if this video helped you please like and subscribe and make sure to check out the enterprise security course if you really want to master these concepts thanks for watching and I will talk to you soon [Music]
Info
Channel: Fireship
Views: 280,893
Rating: 4.9524889 out of 5
Keywords: webdev, app development, security, top 7, hacking, web exploits, xss, sql injection, owasp, ddos, js, javascript, nodejs
Id: 4YOpILi9Oxs
Channel Id: undefined
Length: 8min 59sec (539 seconds)
Published: Mon Feb 17 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.