Security
Known attack vectors
HTTP Headers HTTP Headers
HTTP headers play a crucial role in ensuring the security of a web application. They are used to pass additional information between the client (usually a web browser) and the server.
-
Controlling Browser Behavior: Certain security-related headers instruct the browser on how to behave when handling a website’s content. For example, the Content-Security-Policy (CSP) header can prevent cross-site scripting (XSS) attacks by restricting where resources can be loaded from.
-
Preventing Clickjacking: Headers like X-Frame-Options can be used to ensure that the content of a website cannot be embedded into other sites (via frame, iframe, embed, or object). This helps prevent clickjacking attacks, where a user is tricked into clicking something different from what they perceive.
-
Mitigating Cross-Site Scripting and Injection Attacks: Headers such as X-XSS-Protection provide mechanisms to prevent against XSS attacks, where attackers inject malicious scripts into web pages viewed by other users.
-
Ensuring Secure Data Transmission: The Strict-Transport-Security (HSTS) header enforces secure connections to the server, ensuring that data is sent over HTTPS and reducing the risk of man-in-the-middle attacks.
-
Preventing Cross-Site Request Forgery (CSRF): Headers like SameSite for cookies are instrumental in mitigating CSRF attacks, where a malicious website can influence the interaction between a browser and a site that trusts that browser.
-
Information Leakage Prevention: By properly configuring headers like Server or X-Powered-By, you can avoid exposing specific details about the software running on the server, which could be used by attackers to exploit known vulnerabilities.
To inspect our http headers, you can use a tool like this one .
Denial of service (DoS) Denial of service (DoS)
This is very harmful when it happens. It can happen if: A user triggers a blocking regex on the server, that runs indefinitely Nested/complicated GraphQl queries Users by other means can trigger blocking code on our servers To protect against this we first and foremost validate input, and the built in security features we benefit from when running on Vercel.
Social hacking Social hacking
Social hacking is a real threat, because it can be really dangerous from an IT perspective, and very subtle to notice. To protect 21RISK against social hacking we make all 21RISK employees take annual securty awareness training courses.
We also implement strong policies on our end-point devices, to protect against unauthroized installed software and malicious programs.
Dependencies Dependencies
The number one thing to worry about when keeping our application secure, are dependencies. We have a lot of dependencies. We use Snyk and dependabot to monitor our dependencies and keep them up to date. Combined with a release cycle every day, this helps us to prevent having old exploits in our application.
Note
When vulnerable dependencies are found, we are automatically notified in our communications channel.
Compromised passwords Compromised passwords
One of the core tools we utilize in our security infrastructure at 21RISK is 1Password. 1Password is a robust and user-friendly password management solution that ensures our sensitive credentials, confidential information, and digital identities are managed securely and efficiently.
Understanding 1Password 1Password is a password manager that aids in creating and storing complex, unique passwords for various websites, applications, and services. All these passwords are stored in a securely encrypted vault that can only be accessed through one master password, known only to the user.
In addition to storing passwords, 1Password can also securely store other sensitive information, such as credit card details, secure notes, personal identification documents, and software licenses.
Why 1Password is Important for Security Elimination of Password Reuse: By generating unique passwords for each site or service, 1Password mitigates the risks associated with password reuse, a common vulnerability that can lead to multiple accounts being compromised if one password is breached. Secure Password Storage: 1Password uses strong end-to-end encryption to ensure that your passwords and other stored items are secure. This means that even if an attacker were to gain access to your device, they would not be able to decrypt and view the contents of your 1Password vault without the master password.
Ease of Access With 1Password, you can access your passwords and other sensitive information across multiple devices in a secure manner. This ensures that the information you need is always available, without compromising on security.
Phishing Protection When you use 1Password's browser extension, it will only auto-fill credentials on the exact site where they were saved. This helps prevent phishing attacks as it will not auto-fill credentials on fraudulent, lookalike sites.
Shared Vaults for Teams 1Password provides the ability to securely share certain passwords or notes within a team or family. This feature is invaluable for businesses, as it allows secure sharing and management of common resources.
In conclusion, 1Password is an essential tool in our security suite at 21RISK. It empowers our team to use strong, unique passwords for every service we use, promoting good security hygiene and protecting us from a multitude of potential security threats.
MFA MFA
While a good password manager, like 1Password, significantly improves security by facilitating the use of strong, unique passwords across various services, it primarily addresses only one factor of authentication - "something you know" (i.e., your passwords). Two-factor authentication (2FA), on the other hand, adds an additional layer of security by introducing a second factor, typically "something you have" (such as a mobile device) or "something you are" (such as a biometric feature like a fingerprint). Here's why 2FA makes your accounts more secure:
Protection Against Stolen Credentials Even if your password is compromised, an attacker would still need the second factor - for example, a one-time code sent to your mobile device or your fingerprint - to access your account. This makes it much more difficult for an unauthorized person to gain access. 38
Mitigates Phishing Risks 2FA can help protect against phishing attacks. Even if you're tricked into providing your password to a malicious site, the attacker still won't have the second factor required to log into your account.
Deterring Unauthorized Access The requirement of a second factor makes unauthorized access more challenging. The effort and technical skill needed to bypass 2FA often deters many cybercriminals, who may choose to focus on easier targets instead.
Alerts to Unauthorized Attempts 2FA can alert you to unauthorized login attempts. For instance, if you receive a 2FA prompt or a code via SMS or email when you're not trying to log in, it can serve as a signal that someone else is attempting to access your account.
In summary, while a password manager is a crucial tool for managing and securing your passwords, 2FA adds an extra layer of protection that addresses different types of threats, making your accounts even more secure.
At 21RISK we have forced 2 factor, for most critical services like Github and Google. The reason for this is that all our development services offers social logins for Github and Google, making the entire login process very secure.