ParisWeb is a french-european event gathering web developers motivated for doing things right : quality, accessibility and standard. Last week the conference was held Place de la Bourse, in Paris downtown. That conference is known to be terrific, as people are sharing their experience, their good practice, their good feelings. Every talk is an opportunity to learn something and meet smart people. Here is a first post, reporting the security conversation that happened in Palais Brongniart.
First, know your enemy.
Stéphane Bortzmeyer @bortzmeyer educated the audience about the different attacks a website may suffer. He first reminded that security on the web is a complex topic as the dematerialized world generates attacks (and should provoke reactions) that are completely different from the physical world. No need to flex your muscle on the internet, no-one sees you. In addition, Stéphane highlighted that anyone was mostly saying anything on web security, with regular urban legends, magic stories, overestimation or underestimation of security headlights, and this was part of the problem. Stéphane explained the different well known attacks on IT systems, with a special focus on the Deny of Service, which symptom is that your website can not serve anymore received requests. DoS can rely on massive request (so much requests at the same time, that your site is overloaded) or subtle request (few requests will make your system getting lost and thus frozen). How to be prepared (as you can’t avoid the world to talk to your website) ? Have some supervision traffic tools, prepare static image of your site (useful for recovery), protect your DNS by using DNS sec, rely on secure management of X 509 certificates (DNS-based Authentication of Named Entities DANE, standardized in IETF). Stéphane ended with serie of proven best practices such as : a) security is a process and not a product, it has to be integrated in the design of your systems; b) each service or web site has to define a threat analysis, making sure you know your enemy and the risks you are taking when going on the field; c) finally security is also a matter of communication and coordination (make sure you know the phone number of your web host, this may be a competitive advantage in case of fire).
Second, think about security when designing APIs.
Eric Daspet @edasfr is an experienced guy, serving the ebook business model, by integrating it into traditional cultural vendors systems and offer. He gave his 5 best practices when designing an API and one of them was related to security aspects. His wise recommendations were :
a) Do not use home made security, it stinks. b) Always use SSL when managing login/password. c) Never-ever-never deactivate SSL check when developing or integrating your API, it will land in production (and you ill get problems). d) Last but not least, an API access based on key may be an additional burden, but is definitely useful to track problems and liability in case of unexpected problems.
Third, adapt user experience and security.
Olivier Potonnier @opoto from gemalto, my employer, reviewed the different online authentication possibilities. He scrolled through the strong authentication (the combination of two factors among something that you know, something that you have, something that you are). He gave example of One Time Password , identity card, fingerprinting and listed the different protocols for delegating authentication (BrowserID by Mozilla, OpenID, OAuth, OASIS SAML, OpenIDConnect..). Olivier recommended developers to evaluate their real needs in terms of security and balance it with the usability of their service, before choosing a technical solution. He also reminded that privacy concerns should drive the decision when collecting and storing user related data.
All presentations and videos will soon be there too : http://www.paris-web.fr/.
Stéphane Bortmeyer presentation [fr] http://www.bortzmeyer.org/paris-web-securite.html
Eric Daspet presentation [fr] http://fr.slideshare.net/edaspet/bonnes-pratiques-api-paris-web-2013
Olivier Potonniee presentation [eng] http://fr.slideshare.net/opoto/beyond-passwords-time-for-a-change