10 best practices to protect your users' data
According to CNews, the number of user data stolen by cybercriminals has quadrupled over the past year. The Internet business has to ensure customer data security and ensure transparent and confidential data collection. We’ll tell you about the best practices for the protection of personal data.
Depending on the specifics of the online business, personal data requests may vary. In some cases, a client's name and email are enough. For other companies, you’ll need an ID card, address, registration, phone number, etc.
In 2021, users don't like sharing personal data. No wonder. Users' data become a target for fraudsters.
Your task as a business owner is to ensure the maximum protection of your consumers' data.
In this article, we will give 10 practical tips for protecting users’ data. You can combine several ways to get high security.
Use security analysis tools
Use special automated services to analyze web applications and websites for vulnerabilities. Such services perform cracking tests, for example, using SQL injection.
We have compiled a list of free security analysis tools.
Applications and frameworks
OpenVAS scans hosts for vulnerabilities and allows you to manage exposures.
The OWASP Xenotix XSS Exploit Framework scans the resource for the possibility of exploiting XSS vulnerabilities.
Approof from Positive Technologies checks a web application’s configuration, scans for vulnerable components, insecure, sensitive data, and malicious code.
SecurityHeaders.io checks for the presence and correctness of the server response headers responsible for the security of the web application.
Observatory by Mozilla scans the resource for security issues. In addition to its results, when choosing the appropriate option, it collects and adds analytics from third-party security analysis services to the report.
One button scan scans resource components for vulnerabilities: DNS, HTTP headers, SSL, sensitive data, services used.
The CSP Evaluator verifies that the content security policy (CSP) is well written and XSS resilient.
SSL Server Test analyzes the SSL configuration of a web server.
ASafaWeb checks for common vulnerabilities in the configuration of sites written in ASP.NET.
Automated test results are confusing as they show all kinds of potential threats. But an explanation is attached to every problem identified. Analyze and correct critical comments first.
After you have made the recommended security changes to your application, rescan your application to make sure you took the correct action.
If automatic verification is not enough, manually hack your resource by changing POST and GET requests’ values. A debug proxy server (such as Fiddler) can help here, as it intercepts the importance of HTTP requests between the browser and the server. Pay special attention to forms - try to bypass validation to implement XSS injection.
If your site has pages that are only accessible after authentication, try impersonating a different user. To do this, change the URL parameters (for example, user ID) or cookie values.
Protect user data with HTTPS
HyperText Transfer Protocol Secure (HTTPS) is an HTTP extension that supports encryption and protects user data in transit over the Internet. HTTPS guarantees the integrity and confidentiality of communication with the server. The use of HTTPS becomes mandatory in 2021.
Use HTTPS if users send personal data to the server: credit card information, personal data, and visited pages’ addresses. If, when sending data from the authorization form, cookies are set, which are then sent with each request to the server, an attacker can obtain them and forge a request. As a result, it will intercept the user's session. To prevent this, use HTTPS on all pages on your site.
It's simple: an SSL certificate is generated for free (for example, on Let’s Encrypt). For most platforms, tools for automatically obtaining and installing a certificate have been created. All that remains is to enable HTTPS support on the server.
Google has announced plans to give sites using secure connections an advantage in search results.
If HTTPS is already configured, it is good practice to use HTTP Strict Transport Security (HSTS), a server response header that prevents the domain from using an unsecured connection.
Prevent SQL Injection
SQL injection executes an arbitrary query against the application database using a form field or URL parameter. If you are using Standard Transact SQL, it is possible to insert malicious code. As a result, table data will be received, changed, or deleted. To prevent this, use parameterized queries, which are supported by most web programming languages.
Prevent cross-site scripting
Cross-site scripting (XSS) is a type of attack on web resources that injects malicious code into a website page that runs on the user's computer, modifies the carrier, and transfers the stolen information to the attacker.
Modern web applications are especially susceptible to this type of attack, where pages are built from user-generated content, interpreted by front-end frameworks like Angular and Ember. These frameworks have built-in cross-site scripting protection, but mixing server-side and client-side content shaping creates new complex attacks: injecting Angular directives or Ember.
When checking, focus on user-generated content to avoid misinterpretation by the browser. It is similar to SQL injection protection. When generating HTML code dynamically, use special functions for changing and retrieving attribute values (for example, element.setAttribute and element.textContent) and templating engines that automatically escape special characters.
Content Security Policy (CSP) is another tool for protecting against XSS attacks. CSP - server headers that determine the whitelist of sources from where data loading for different types of resources is allowed. For example, they prevent scripts from running from a third-party domain or disabling the eval () function. CSP policies make it impossible to execute even if malicious code is injected into a page. The official Mozilla website hosts a CSP manual with configuration examples.
Check and encrypt passwords
Store passwords as a hash, and it is better to use one-way hashing algorithms such as SHA. In this case, hashed values are compared to authorize users. Suppose an attacker breaks into the resource and obtains hashed passwords. In that case, the damage will be reduced because the hash has an irreversible effect, and it is almost impossible to get the original data from it. But hashes for popular passwords can be easily searched through a dictionary, so also use a "salt" unique for each password. Then cracking a large number of passwords becomes even slower and more computationally expensive.
As for validation, set a limit on the minimum password length and check for matches with the login, e-mail, and site address.
Fortunately, most CMSs provide security policy management tools, but sometimes additional configuration or module installation must use the salt or set the minimum password complexity. When using .NET, it is worth using membership providers because they have built-in security with many settings and ready-made elements for authentication and password change.
Check incoming data
Control the data received from web forms, both client-side and server-side. The browser checks for simple errors like a blank required field or text entered in a numeric field. These checks are bypassed, so server-side control is needed. Lack of server-side validation leads to exploitation of injection and other types of attacks by the attacker.
Everyone knows to use complex passwords, but that doesn't mean people always do that. It is critical to use complex passwords for your server and administration block, but it is equally important to require your users to use complex passwords for their accounts.
While users hate it, enforcing password requirements such as a minimum length of at least eight characters, including uppercase characters or numbers in a password will help them ultimately save their information.
Passwords should always be stored encrypted, ideally using a one-way hashing algorithm.
MD2, MD5, SHA1 hash functions have some vulnerabilities. If they are used to store valuable information (such as passwords), its confidentiality may be compromised. Use secure hash functions (SHA-2).
The hash function used to store passwords should not only be vital, but it should also not be too fast. It complicates the exhaustive search attack. For this, specialized hash functions such as PBKDF2, bcrypt, scrypt were developed.
When using this method to authenticate users, you are simply comparing the encrypted values.
If user data is stolen, it will need to be decrypted. The best an attacker can do in this case is a dictionary attack or a brute force attack, that is, checking all possible combinations until a match is found.
Our other recommendation relates to user account data.
First, you should minimize the frequency with which your application prompts for user credentials. It will make phishing attacks more visible and less likely to succeed. In this case, we advise you to use an authorization token (also remember to update it).
Secondly, the name and password should not be stored on the device (when possible). We recommend that you complete the login process with a username and password and use an authorization token.
If you need to provide users with the ability to store their credentials to automate future authorization applications, use a Credential object containing user registration information.
Typically, third-party vendors use an API key as a convenient user authentication mechanism for granting access and a way to charge for their data.
Also, you should not store keys in shared settings or folders, as an attacker can quickly unpack and decompile your APK file and get this key. Use NDK or Private / Public API key exchange to store the key.
Creating a site backup is a mandatory step in administering any resource since it prevents any data loss and will allow you to restore the site if a hacker attack was successful. A backup is also valid when important files are deleted accidentally. As a result of a program error, the site’s integrity is violated (irreversible changes resulting from administrator incompetence or server crashes).
Ideally, you should site backup weekly. At the same time, for reliability, the copy is always downloaded to the local computer or saved to an external medium - a flashcard, hard drive, etc.
The collection and storage of user data are inevitable for websites and applications. Therefore, it is essential to ensure the security of the application or site.
It is worth thinking about security and confidentiality even at the development stage and optimizing the system throughout the entire lifetime of the web resource. User data must be securely hidden and encrypted from outsiders.
We recommend that you be honest and open with your users. Explain to consumers what data and why you asked them for.
If you want to create a secure website or mobile application, you can leave a request on the website, and Sannacode specialists will offer you the best solution. Also, we are the developer of major government projects. These are thousands, millions of real people whose personal information is now in a safe place. And this is more revealing than any advertisement. Check it out for yourself.