Application Security with Rabalder Media

2016-03-17

Blog

So, you’re interested in what security measures we take when building web applications? Good! At Rabalder Media, we take application security very seriously. We are constantly researching vulnerabilities and keeping up-to-date with exploit databases. Please beware that this post is going to dive deeper technically than my usual posts, but I’ll list the less technical ones first.

HTTPS-secured sites

Since December 3rd, 2015 - all applications hosted on our infrastructure gets a free SSL-certificate (TLS) installed on their domain automatically. In fact, we do not accept non-HTTPS applications onto our main server infrastructure, ever. If - for some reason - a customer doesn’t want a secure website, we would setup a special, completely isolated infrastructure for their website. The reasoning for this is to add an additional layer of security for the customers that do reside on our main server infrastructure, where all connections are encrypted and secured with strong ciphers and trusted certificates, even internal connections exchanged between our own private network.

HTTPS is crucial for modern day internet. Without it, anyone can listen in on what data a website and its visitors exchange. This is called a MITM (Man In The Middle) attack or network sniffing, and the scary part about it is that anyone can do it, even people that are less aware in the technical field. The easiest attack to perform is a local one, and often occurs on WiFi hotspots such as cafés or school network. If you and I were in the same café, connected to the same WiFi and you were browsing a non-HTTPS website, I could easily see everything you do on that website. I could see your username and password in plain-text when you log in. I could see your credit card infromation as you place an order. Literally anything you do! I could also perform a remote attack, but those are harder to perform as they require that a device on your local network is vulnerable to remote code execution or that your device is vulnerable to other attacks that allow me to sniff your network packets, but it’s definitely doable.

Our edge web servers only uses battle-tested TLS cipher suites, and using a tool like SSL Labs gives us an A+ rating of our certificates and cipher suites.

Password hashing

In the past, we’ve used bcrypt to create a one-way hash of passwords but just recently, a new and more secure hashing function named Argon2 was presented that gives a stronger resistance against GPU-based attacks. We’ve done massive amounts of research around this subject and have concluded that Argon2 is indeed the better choice.

Infrastructure

As mentioned before, all external as well as internal connections throughout our infrastructure is encrypted via TLS utilizing strong cipher suites and trusted certificates. The deal-breaking difference between Rabalder Media and any other agency our size is that we isolate each application from one another via Docker containers running zero-privilege users, giving our customers a virtualized, private hosting environment compared to what other agencies does is that they put each application in a shared hosting environment where there’s no isolation taking place. What’s bad about shared hosting environments is that only a single application has to be vulnerable for them all to become vulnerable. On our infrastructure, this is simply not the case as each project is securely isolated from each other.

When it comes to physical access to our servers, the datacenter they’re hosted in has multiple armed guards on-site 24/7 and if I were to visit the datacenter, one guard would be following me to make sure it is in fact our servers I’m managing and not someone elses’. Additionally, ID verification is required to even enter the facility.

Our main infrastructures’ IP-addresses are completely masked to the public. When you connect to any application hosted by us, you’re not actually connecting directly to our main infrastructure - you’re connecting to an edge proxy server that proxies your requests to our main infrastructure. The reason for that is to reduce the possibility for an attacker to be able to hit our main infrastructure with a DDoS-attack. The solution we use for our edge proxies have mitigated the largest DDoS-attack ever recorded in history on 400Gbps.

Application security

When it comes to application security we do our best to harden our applications, but the sheer amount of different kind of attacks one could perform on the application-layer makes it hard to prevent everything, but we do have systems in place that monitors applications 24/7 and alerts our engineers when they pick something up. Due to the nature of how we host applications with virtualized private environments and isolation, attacks performed on an application can only affect that application. We do prevent the majority of common attacks by default, such as XSS, SQL-injection and CSRF - among others.

The technologies that we use are a bit uncommon, which by default prevents many different kind of attacks. For example we don’t have HTTP API’s, we use an implementation based on WebSockets that’s serialized to the bones and only accepts valid JSON. Our back-end is written as microservices which means that if an application would be vulnerable, only a small part of that application would be affected and not the entire application. This is thanks to us isolating each microservice in a container, just like the rest of the application.

For large applications where pentesting is included in the budget, we hire specialized Penetration Testers that have a broad experience in the application security field. We do also compensate private Penetration Testers that do find exploits in our applications, as a token of gratitude.

Summarize

Hopefully this cleared up some of your questions and perhaps you learned a bit about securiting your own applications and infrastructure. Many of the things listed here are simply good practice, but I can’t stress enough just how many agencies and developers have zero knowledge about these kind of things and it’s a shame that many of them simply don’t care either…

If you have any questions, feel free to send me an email. You can find my contact details below.

Rabalder Media is changing

As you probably can see, being in the cutting-edge of the web allows us to do some crazy things most people think is impossible and Wordpress developers have no clue about those features even existing.

In the last year, we’ve been shifting our focus to a more healthy and fun part of the web development industry and we’ve modernized our company in many ways. Some examples being that we’ve completely dropped internal communication via email and uses a chat- & voice-based solution that helps us increase productivity and is also a lot more fun. We have a natural work environment that’s less stressful and where developers like me have a voice that’s heard and taken seriously. Everyone on our team plays a part in shaping the company and deciding what paths we should take.

We are aware that our project cases are lacking a bit, but you should definitely stay tuned to our website because we have multiple, really cool projects that’s still in production that we’re going to release pretty soon which shows the best part about Rabalder Media and the possibilities you’ll have working with us in terms of features, design and user experience!