7 Security Mistakes Others Made So You (Probably) Shouldn’t

No matter the level of security knowledge you possess, there are a few simple actions that will immediately improve your software security. These are low-hanging security fruit that still isn’t picked up by many companies. Explore the common security mistakes others have made and learn valuable lessons from them. Mistake #1: Not verifying login credentials Equifax, the credit reporting company, , specifically on its website in Argentina. Researchers at Hold Security, a cybersecurity firm, discovered this security flaw and were equivalents of over 100 individuals. for a non-US database used the generic username and password "admin" able to access personal employee information, including names, emails, and Social Security Lesson learned Ensure that all admin accounts don’t have default login credentials or easy-to-break credentials such as login: admin, password: admin. Mistake #2: Keeping sensitive data in code The St. Louis Post-Dispatch reporter discovered that of a website run by the state education department. The newspaper informed the state about the issue. However, the Governor of Missouri wasn’t very grateful about it calling the newspaper's actions hacking… the Social Security numbers of Missouri teachers were embedded in the HTML source code Lesson learned Check out if test credentials or sensitive data arent’s hard coded in the frontend code comments. Mistake #3: Easy-breaking CI/CD credentials According to the Business Leader, . Hackers commonly use default credentials, including default Raspberry Pi credentials and credentials used on Linux machines, to gain unauthorized access to servers. hackers , particularly the use of regular or default passwords gain access to businesses' servers by exploiting poor security practices Lesson learned If you use CI/CD providers and other external tools or dashboards, ensure that any default accounts don’t have easy-breaking credentials. Mistake #4: Checking in secrets in repositories Researchers at CloudSek discovered that . The researchers found that approximately 0.5% of the 8,000 apps they studied contained hardcoded private keys for AWS APIs. , exposing user data and corporate information popular mobile apps are leaking Amazon Web Services (AWS) keys Lesson learned Verify if any secrets e.g. AWS keys, passwords, etc. aren't checked-in in repositories. Secret leak detection tools that you can implement right away: – available for free as secret leaks scanning tool in all Gitlab plans. Gitleaks – it works as a Chrome extension that shows secret leaks on websites. TruffleHog – secret scanning alerts for GitHub repositories. It’s free on all public repositories. GitHub Secret Scanning Mistake #5 Exposed unwanted ports . The list contains names of individuals prohibited from flying due to suspected terrorist ties or other security concerns. An airline employee discovered the unsecured server and reported the breach to the Department of Homeland Security. A confidential and sensitive U.S. government watchlist, known as the no-fly list, was leaked after being left unsecured on an airline server Lesson learned Make sure that the services you use don’t have any unwanted exposed ports. Tools that scan open ports: – a free search engine that could be used for Infra reconnaissance. Censys – a paid alternative to Censys. Shodan Mistake #6 Taking keys from tutorials granting remote control over car functions. . A software developer identified a flaw in the encryption algorithm used for the vehicle's communication with its mobile app. Exploiting this vulnerability, unauthorized access was gained to the car's systems, enabling actions like unlocking doors and starting the engine. Hyundai's vehicle encryption was successfully cracked Hyundai used a public-private key pair from a tutorial and placed the public key in its code Lesson learned Don’t use public keys from any tutorials. Mistake #7 Forgetting to withdraw access A study by Beyond Identity revealed that around , with over 41% of them admitting to sharing their login credentials. to their past workplace accounts and emails 25% of former employees still have access Lesson learned Regularly withdraw access to any tools, from ex-employees or people who don’t need them, to reduce the attack surface. Consider using a Single Sign-On for all your services, for example, Google Sign-in. What other mistakes you shouldn’t make? and get access to the best security practices and tools. Download our free ebook

7 Security Mistakes Others Made So You (Probably) Shouldn’t

Too Long; Didn't Read

@izabelapawlik

Credibility

RELATED STORIES