This question is for learning purposes. Suppose I am writing a simple SQL admin console using CGI and Python. At http://something.com/admin, this admin console should allow me to modify a SQL database (i.e., create and modify tables, and create and modify records) using an ordinary form.
- In the least secure case, anybody can access http://something.com/admin and modify the database.
- You can password protect http://something.com/admin. But once you start using the admin console, information is still transmitted in plain text.
- So then you use HTTPS to secure the transmitted data.
Questions:
- To describe to a learner, how would you incrementally add security to the least secure environment in order to make it most secure? How would you modify/augment my three (possibly erroneous) steps above?
- What basic tools in Python make your steps possible?
- Optional: Now that I understand the process, how do sophisticated libraries and frameworks inherently achieve this level of security?
Security is not a patch job, it’s a holistic approach.
Incrementally adding security is not a good idea. You should integrate security in your application from the ground up.
The best advice I can give you is to try to think like an attacker. Think to yourself: “If I wanted to do something I’m not supposed to be able to do, how would I do it?”
If you’re designing an application which uses a database, we careful not to allow SQL Injections. You should also be aware of some of the most popular web vulnerabilities if you’re making a web app.