6 Comments

Security Hygiene for Software Professionals

As software makers, we face a unique threat model. The computers or accounts we use to develop and deliver software are of more value to an attacker than what ordinary computer users have—cloud service keys can be stolen and used for profit, and the software we ship can be loaded with malware without our knowledge. And that’s before we consider that the code we write has a tremendous value of its own and should be protected.

Padlock by Moyan Brenn. Used with permission under CC BY 2.0.

Taking responsibility for our security hygiene is, thankfully, not very difficult. Today, most tools we need are either already present in our operating systems or can be added without much effort. In this post, I’ll take you down a list of things you should consider.

Always Stay Up-to-Date

TL;DR: Don’t skip security updates. Know your vendor’s security update policy on all your devices.

Keeping up-to-date with your operating system vendor’s security updates is the bare minimum of security hygiene for anyone—not just developers. When your computers—desktops, laptops, smartphones, IoT devices—tell you there’s a security update, apply it. The kicker is making sure you are offered security updates in the first place.

On computers, the situation is pretty clear. Just about any current operating system has regular security updates available, provided updates are turned on and working. What defines “current” is another issue entirely, and it requires you to know your operating system vendor’s security update policy.

Look it up, know it, and use it to plan larger upgrades between major versions of your operating system in order to ensure you continue to stay secure. You probably don’t need to stay on the bleeding edge for security’s sake, but you will need to make sure you don’t get left too far behind.

Keeping your smartphone up-to-date is also very important. Although you probably don’t do much development there, your smartphone almost certainly has access to cloud accounts that could be used to gain access to both your personal and professional digital life in all sorts of ways. For example, outdated Android smartphones recently allowed attackers to scoop up over a million Google access tokens. Considering just about everyone uses Gmail, and an email address can be used to reset just about any passwords, this is a serious breach indeed.

Unfortunately, keeping smartphones up-to-date can be challenging depending on your choice of platform. Apple does a great job with iOS, supporting all of their phones for several years, but with Android, you need to pay very close attention to the device you choose to make sure it’s getting prompt security updates from Google. You also need to be prepared to ditch that phone as soon as those updates stop, whether you’re ready for a new phone or not.

Finally, don’t forget the other devices on your network. They may not normally have access to anything that seems important to you. However, if compromised, they can be used by attackers to escalate access into higher-value networks that are generally not protected, or into microphones or cameras as well—not to mention, they’re increasingly being used in DDoS attacks. Try to shop for devices made by vendors with a commitment to security, and keep them up-to-date.

Block Unnecessary Web Content

TL;DR: Install uBlock Origin in all your web browsers, and avoid ad-supported apps.

Ad blocking has been big news lately as publishers get more and more desperate in their attempts to monetize content and readers get more and more annoyed by the way ads interrupt their reading experience, track them, and often flat-out break pages. Much less spoken of but much more serious, however, is the delivery of malware over ad networks. This is something that has affected just about every major website that carries ads, and lately ad-supported apps as well.

The easy solution to stopping most ads and greatly reducing the threat is to install an ad blocker. uBlock Origin is your current best choice if you want a hands-off option. If you’re interested in getting your hands a little dirtier and having a lot more control, uMatrix (by the same developer) gives you sane default rules and an intuitive interface for selectively blocking or unblocking content. As a bonus, you’ll learn a lot about how modern websites are put together when you need to use the tool to allow a site to work.

Unfortunately, browser-based ad blockers won’t do anything to protect you against mobile malware or malware delivered in ad-supported software that makes an end-run around your browser. If you can’t protect those avenues, pay for the software to get rid of the ads or discontinue using the software entirely. Be sure to let the developer know why you must stop using their software if you do, and if you make ad-supported software, make sure you’re being responsible to your users by not using ad networks that execute code you didn’t write on your users’ computers.

Check Your Software Sources

TL;DR: Don’t disable Gatekeeper on Macs or similar features on other operating systems. Be very cautious about installing insecurely-delivered software.

Most operating systems now offer some form of code signing not just for operating system components, but for applications as well. Signing code cryptographically ensures that the chain of custody for a given piece of software has been unbroken since it was signed. Regrettably, some users and developers choose to entirely disable code-signing because they find it inconvenient or annoying, or they simply can’t find a way to install the software they want.

For a time (until macOS Sierra removed the option from Preferences) it was common to advise macOS users to set their systems to “allow apps downloaded from anywhere”—bypassing this important security protection entirely. A far better option is to leave the protection in place, and bypass it only as needed, making conscious decisions about each piece of software you bring into your system. You can do this easily on macOS by right-clicking a new app, clicking open, then following the prompts.

Outside of the app ecosystem, there’s also the problem of the popular “curl | sh” pattern for installing command-line software. While curl | sh isn’t necessarily outright insecure, you should be particularly careful using it, making sure you’re not accepting software delivered without certificate-checked HTTPS (especially if you’re working over open Wi-Fi, which is trivially easy to man-in-the-middle) and checking checksums for the downloaded code if you can.

Of course, even with these options, a lot of software is impossible to verify. In these cases, press software vendors (for for-profit projects) or volunteer to help (for open-source projects) maintain a clear, easy path for software to have a verifiable chain of custody. Other security-minded developers will thank you for it!

Use a VPN on Untrusted Networks

TL;DR: Use a VPN whenever you’re on a network you don’t control.

As I mentioned in the last section, it’s rapidly approaching trivial to sit on open Wi-Fi and not only read all traffic, but intercept and modify it as well. This is something that has literally become a business model for some internet providers. The increasing use of TLS helps defend against this, but not everyone is there, and not everyone who is there is bringing their “A” game to the party.

When you’re away from trusted networks at your home or office, rather than just shut down and be disconnected, consider using a VPN as an encrypted tunnel to re-route your internet traffic through another trusted network. On the untrusted network, you’ll only be sending and receiving one stream of opaque, encrypted data. That stream will be unpacked on the other end, and you’ll still be able to stay in touch with the wider internet.

Of course, the primary risk of using a VPN to route internet traffic is trusting the other end of the VPN to not meddle with your internet traffic. Regrettably, commercial VPN providers are difficult to pin down on this. Your best bet is to use a VPN running from a network you already trust, like your office—but don’t underestimate the work involved in running and defending a VPN service. I’d love to hear suggestions in the comments. As for myself, I’ve recently been trialling Private Tunnel (by the developers of OpenVPN).

Use Full-Disk Encryption

TL;DR: Use FileVault 2 on macOS, BitLocker or VeraCrypt on Windows, or built-in FDE options on Linux-based systems.

Full-disk encryption encrypts everything that lands on your computer’s internal storage. Although a number of security-sensitive applications can use OS services like keychains to encrypt things like your email access key, if you’re a software developer, chances are extremely strong that valuable secrets are often written insecurely to your computer’s disk. Full-disk encryption makes sure that those secrets are not readable by someone in physical possession of your computer or its disk unless that someone also has the key used to encrypt it.

Obviously, this scheme protects you from data disclosure when someone steals your computer. But this scheme is also useful when you consider that your computer won’t be your computer forever, and it will be sold or disposed of someday. If you’ve used full-disk encryption over your computer’s entire lifetime, you effectively eliminate the risk that secret data will be readable by whoever comes into possession of your machine or its components. This is a guarantee you won’t have even if you try to erase the disk later (especially on SSDs, which might remap sensitive data out of visibility with user tools.) Trying to zero out an entire disk is also very time-consuming. It’s better to get it right up-front.

Beware of thinking the fact that your computer appears unusable without your encryption key is a guarantee that no one can tamper with your system. It’s still very possible. Keep your computer in your physical possession at all times.

One final tip: If you’re using macOS, consider configuring power management to put your computer into a deep sleep and dispose of your FileVault key when you close its lid. This not only saves your battery, but it also prevents someone who gets their hands on your sleeping computer from retrieving the key through key recovery devices:

$ sudo pmset -a hibernatemode 25 destroyfvkeyonstandby 1

With this configuration in play, you’ll have to type your password twice—once to unlock your machine’s sleep image, and again to unlock the screen once that’s restored. However, you can rest easy knowing your sleeping computer isn’t an easy target.

Use a Password Manager

TL;DR: Use a password manager like 1Password and replace all your insecure passwords with random strings.

Cloud service compromises and dumps of password databases—well-hashed or not—are now sadly a regular occurrence. And when those password databases are cracked and the passwords made known, the first thing attackers do is try the emails and passwords on other services—because it works so well, with people re-using passwords left and right.

As a human being signing in to an ever-growing number of services, you have no hope of creating and remembering unique, strong passwords for every one of dozens of services you likely use every day. Instead, delegate the job to a well-designed password manager like 1Password, using it to generate and store truly random passwords for those services, then easily enter them with convenient browser and mobile extensions.

Of course, you do need to consider the risks of putting all your eggs in one basket. A good password manager defends your secret data by never having the decryption key stored in the cloud (in case their cloud service gets compromised) and by using whatever defenses the operating system on your computer makes available. However, if you aren’t careful about all of the other advice presented in this post, you increase the risk that password-manager-attacking malware could land on your system.

You also need to make sure that you create and store backup “emergency kits” (1Password makes this easy!) in case you lose your devices or forget your master password. If you can’t get ahold of the encrypted vault that contains your passwords and unlock it, you could be in for a very difficult time regaining access to increasingly-important cloud services. But with a little forethought, you can minimize this risk and rest easier that the damage from the next cloud compromise can be contained.

Stay Alert

TL;DR: Follow security people on social media. Understand and advocate for security issues. Revise your plans as necessary.

This advice, given in 2017, looks very different from advice I may have given years ago. For example, many password managers of the not-so-distant past were often terrible, centralizing the risk of a complete compromise without adequately defending against threats. They were designed for convenience above security. Today, the most popular password managers are much better-designed, but the threat landscape is also different, with more cloud providers playing a more important role in the day-to-day operation of the world than ever before.

The threat landscape is always changing, but one thing is not likely to ever change: If you write or publish software, you are a bigger target than the average user. Take your responsibility seriously. Stay in touch with the security community, understand security issues, advocate good security hygiene among your colleagues and cohorts, and—above all—stay vigilant.