Security Best Practices For DNN Websites
Mitchel Sellers Who am I? Microsoft MVP, ASPInsider, DNN MVP Microsoft Certified Professional CEO IowaComputerGurus, Inc. Contact Information msellers@iowacomputergurus.com Twitter: @MitchelSellers @iowacompgurus
All Links and Resources Don t worry! We ve provided a complete list of clickable links to all the free resources mentioned in this presentation including a copy of this slide deck and we ll make it available to you at the end of the presentation.
Agenda Welcome SSL Adoption User Impacts? SSL Types SSL Is Not Enough Protecting Your Application & Server Don t Get Caught Legal Considerations OWASP Top Ten 3 rd -Party Apps, Services, & Modules Security Resources
Welcome to the Privacy & Security Age From GDRP to Social Media, from Bots to Hacks, and from Ransomware to Network Attacks Data Protection and Website Security ARE the Next Big Thing
Secure Socket Layer an Overview SSL ENCRYPTION https://
SSL Adoption Recognizing that vast numbers of websites that were not employing SSL/TLS security the Internet Security Research Group (ISRG) adopted a mission to reduce the financial, technological, and educational barriers to secure communication over the internet. Their first major initiative is Let s Encrypt a free, automated, and open SSL certificate authority (CA). Google declared that by January 2017 websites not protected by basic SSL encryption would be penalized within Google Search by identifying them as non-secure. This move has put additional pressure on website owners to implement SSL. Suspecting that some older Symantec-issued SSL certificates were either not current or did not meet existing standards Google threatened to cease recognition of those certificates in their Chrome browser.
Messaging User Impact of Doing Nothing Trust
Types of SSL Certificates Domain Validation (DV) Validates a single domain, simplest, and automated validation, verifies that a single user has control. Organization Validation (OV) Validates the domain, but also validates the corporate entity that controls it. Extended Validation (EV) Similar to OV but validated by human processes (enhanced visual display). Wildcard Special DV certificates to cover any combination of sub-domains.
Installing SSL Is Not Enough Hard external URL links may no longer work properly, harming site traffic and SEO. Site visitors might see mixed content both secure and unsecure. Users attempting to access sites from more secure/corporate networks may be unable to do so because of firewall security rules. SEO asset value within search engine indexing may be damaged or lost. If your home page indicates SSL security, but not all pages or page elements are secured, the mismatch can create corporate liability.
SSL Delivers Delivers end-to-end encryption, mitigating 3 rd -party threats to data in transit. Consumer awareness is growing the value of privacy and security are being recognized. Due to actions by Google, ASRG, and others SSL now has become both a Security AND Marketing imperative. Time to Protect Your End Point (Application & Server)
Known High-Risk Vectors and What You Can Do PROTECTING YOUR APPLICATION & SERVER
Don t Get Caught With Your Guard Down
Legal Considerations Compliance HIPPA Medical Information PCI-DSS Credit Card/Payment Information GDPR EU Data Protection FFEIC Financial Institutions Business Risks Recovery Costs Civil Liability Best Practices Mitigate Civil Risk Reputation Management
OWASP Top Ten Threats Open Wed Application Security Project (OWASP) OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. 1) SQL Injection 2) Broken Authentication 3) Sensitive Data Exposure 4) XML External Entities 5) Broken Access Control 6) Security Mis-configuration 7) Cross-site Scripting 8) Insecure Deserialization 9) Using Vulnerable Components 10)Insufficient Logging & Monitoring
OWASP Top 10 - #2 Broken Authentication Common Issues Permits automated login attacks Allows default user passwords Uses weak/insecure recovery processes (Security Question is considered weak ) Uses Plain-Text, Encrypted, or Weak encryption for passwords Exposes the sessionid in URL Prevention Consider Multi-Factor Authentication Don t use defaults Check against common passwords Ensure integrity in password requirements Login, Lockout, Failure messages should be the same Limit brute-force logins, and notify admins when suspected
OWASP Top 10 - #2 (DNN Specific) Default DNN covers some, but not all aspects Older Installations Validate password formats Validate & Update Password recovery New Installations Multi-Factor not supported Lockout Notifications (Turn on, or store longer term) Complexity Requirements No known password list
OWASP Top 10 - #5 Broken Access Control Risks Similar to risk in #1 Situations where the URL could be modified to change access protocols Missing authentication on child methods assuming that if you can see that by default you cannot see the rest. CORS Misconfiguration Allowing other clients Prevention Log misuse, notify if excessive Rate Limit API s Invalidate tokens at logout
Risks OWASP Top 10 - #6 Security Misconfiguration Forgetting to remove defaults. (Ex sample project, Module, File) Unnecessary features/ports (FTP, Utility Modules, etc) Patching not followed Prevention Documented and repeatable hardening process (Install/Config) Minimize platform, use custom install options Automated validated of configuration (Trust but verify)
OWASP Top 10 - #9 Using Vulnerable Components Not patching DNN to deal with security center issues Not patching third-party modules with known issues Not patching Windows Using older FTP software/protocols Etc.
OWASP Top 10 - #10 Insufficient Logging & Monitoring Logging is great, but what do you do with it? Monitoring/Alerting is often overlooked, until it is a problem Activity logging should be repeatable/detailed for high-risk transactions. (Delete, etc.) Establish a response protocol
DNN Specific Examples Known vs. User Supplied Values UserId PortalId ModuleId Querystring Parameters Store/Update Data based on the combination of values Delete Require both the ItemId and the ModuleId in the SQL, prevent random delete Edit Require ModuleId and ItemId when retrieving to validate it is that module
Third-Party Apps, Services, & Modules Do they follow these practices? Just because you can t see it, doesn t mean it isn t there Review & Patching notifications Are they GDPR Compliant? Your Website Is Only As Safe As The Least Secure Part
iowacomputergurus.com/security SSL and Security Resources SSL Implementation and Website Security Best Practices White Paper Free SSL Community Supported Let s Encrypt Blog Post Webserver Hardening Best Practices White Paper Vulnerability and Exploit Response Best Practices White Paper GDPR Resources Navigating the GDPR Blog Post Summary Microsoft General GDPR Recommendations GDPR and DNN What You Need to Do Now Blog Post OWASP Top 10 Threats 2017
About ICG Who We Are Founded in 2006 Ankeny, Iowa Custom solutions provider Customer-service Oriented Microsoft Silver Certified BBB A+ rated and Accredited What We Do Internet Websites Intranets & Portals Platform Development Mobile & Responsive Deployment Hosting & Cloud Performance & Scalability Security and Accessibility Compliance Applications & Architectures Superior Support
About ICG Our Team Mitchel Sellers, CEO 9-time Microsoft MVP ASP Insider DNN MVP Published Technology Author Dedicated Team of Ten+ Full time & Contract Professionals Consistent Communication Peer Review/Quality Assurance