A notch above a monkey

Securing web applications

I recently finished working on a project with stricter security requirements than I am used to. While my work on the project is done and I am deciding on what to do next, I keep thinking about what I did and what I could do better next time beyond following established good implementation practices. This is my attempt to jot down my (unpolished) thinking, which will be light on technical details as I am not allowed to divulge them.

First thing I did was to create a threat model for the app’s frontend. It is not something I would see done on every project, but it really should be a standard practice even if it is simplified to a “living” list of assets to protect, identified threats and planned countermeasures.

An under-appreciated part of web frontend development using client-side frameworks is that practically speaking, it is not possible to secure the app you are building on your own. Every major framework depends on and installs hundreds of packages (usually more than a thousand) and it is not feasible to audit all of them and their updates. Even a smaller problem of tracking license compliance is a nightmare. Therefore, managing risk also involves managing trust in external parties.

When using such frameworks is beneficial enough, I favour libraries built and in use by major tech companies such as Google and Facebook, especially if their documentation does not ignore security. They may not be better in all aspects I might care about but will have both more resources invested in their development and more likely to be properly audited as those companies present a much bigger and valuable target than companies I work with. I avoid adding 3rd party libraries as much as economically possible and when not, prefer to copy parts actually used (with license and reference to original) when only small bit of that library is needed.

Loading 3rd party code directly in browser should be frowned upon. Even with modern toolbox for avoiding/limiting abuse (iframe sandboxing, CSP…) nothing is remotely as safe as not loading unknown resources in the first place. Since this is not always possible or desirable it is best to treat them as an existing exploit of unknown severity and decide where they must be avoided and how to best manage their risk elsewhere.

Similar risk is posed by browser extensions. User fingerprinting is a very good reason for trying to prevent discovery of loaded extensions, but I would still find it useful to at least know if there is any extension loaded that has access to my app’s contents without explicit user request. It seems this is not possible. Admittedly this is not a wide-spread desire and most applications would not change their behaviour based on this information, but few should (e.g. banking web apps).

In simpler, more naïve times we used to discuss if DOM is a good place to store state of a page. Clearly this is not a good idea for anything beyond storing state of UI controls and even then, every change should be reflected on screen with an appropriate user notification (change transition, alert…). I remain undecided on how much uni-directional data flow helps with security, but it does some, similarly to how private class properties do and I find it easier to track possible attack points, if interface is a rendered reflection of application’s state and I can focus my attention on interactive parts with which user changes it.

Protecting code and data from nosy scripts with Javascript closures is already effectively done by frameworks and rarely requires manual intervention. This is mostly enough, but an unsolved problem for me was to keep data private and survive a browser window reload as I can only do one with any kind of certainty. I am reasonably sure this is not possible since every available storage is also available to other scripts as is requesting data from server without authentication.

sessionStorage is preferred to localStorage. Any personal data should be removed with sessions that shouldn’t be long either.

It would be nice, if all my research and effort provided me with more comfort than they do. Maybe fear is just the price paid for remaining vigilant.

2018 review

I just reread my last year review and could copy first two paragraphs with few changes. I am still fine, loved ones less so and there were new horrific organisational experiences to replace old ones.

Without wish or intent to go into much detail, this was a year in which our home had to be listed as a no-go location in a restraining order and I observed Slovenian police and justice system dealing with credible threats to life and continue failing miserably to this day. Not all failures come down to sex, but being a woman certainly seems to make things worse for you.

Still, I ended last year in a much better mood than I started or was for much of the year. No doubt visiting Madagascar and Réunion, while physically taxing, helped a lot. As did summer visit from friends, hiking more than ever, building Legos and working on a new project.

Recently a British minister was ridiculed for playing with Lego sets, but I can only recommend it, especially to those under stress. Calming effect of putting bricks together and satisfaction of building something is truly relaxing. I don’t know what I might do this year, but last year I build Taj Mahal:

Taj Mahal

This year I would also like to build something more useful and less tactile. I made prototypes to test the idea of an email Instapaper at the end of last year and hope to get it running some time this year, if I can resolve problems around financially tolerable and reliable email delivery. It might even lead to some fresh content on this website if I write up an idea or two after I test it with this service.

Last year I did not read much, but we hiked often which really paid off in Réunion where a bout of dengue led me to carrying heavier than expected backpack for days at end. Possibly was the fittest I’ve ever been and if I could get into the same shape this year while improving my diet and losing some weight, then that would be great.

My main goal last year was to take care of loved ones. I cannot remember why I felt it necessary to state this as it is, will be and should be most important thing I do every year.

I do not want to give myself a pass again for not doing much else. I felt getting stupider this year, which was a wholly unenjoyable experience. 2019 is the year of my new, less flattering demographic age bracket, but I will not be remotely old enough that dulling of intellect would be expected or acceptable. I suspect this “development” had a lot do with what and how much I read last year and I will focus my efforts there to expand my general knowledge.

Speaking of learning, I did not make much progress with Spanish last year and won’t first few months of this year either. At some point (spring?) I’ll have to if I don’t want to forget what I already learned.

My plans for 2019 are unintentionally vague so there is a good chance that I could in some sense fulfil more than usual including another long trip abroad. There is one thing I want to change from 2018 and that is just being more intentional in whatever I will do. Nothing seems to make time feel wasted so reliably than spending it without a forethought.

Books I read in 2018

…were too few. Even worse than 2016 from which I lifted this post’s beginning. At least none of them were duds. All of them are worth reading, but I reserved bold for those that are not too niche.

Links lead to Smile Amazon. I still get nothing from referrals, but at least some charity might get few cents instead of also nothing. Brodeck Report is lacking a link because graphic novel has not been translated to English yet. Book titles are in the languages in which I read them.

The list:

  • The Magic of Watches by Louis Nardin. A very fine introduction to the world of (wrist)watches and one of the best designed books I own. A very good introduction for already interested that is at its weakest when it is trying to sell you this hobby, but more than makes up for it elsewhere.
  • Platero y Yo by Juan Ramon Jiménez. Bittersweet stories about author's friendship with a donkey. Above my Spanish level and will have to read it again some day. Lovely prose where my understanding was not too foggy.
  • Brodeckovo poročilo (Brodeck Report) by Manu Larcenet. A fantastic graphic novel based on a novel by Philippe Claudel about difference and intolerance in a village near French-German border soon after WW2. Wonderfully drawn and impactful, it would be difficult to imagine it is not doing justice to original material which I have not read yet.
  • Architecting Angular Applications with Redux, RxJS, and NgRx by Christoffer Noring. I have mixed feelings about this book. It is a good introduction to the topic, but I am still not persuaded about the approach. I have some qualms about organisation of the content as the book seems to be confused about who its audience is and certainly about many technical mistakes in code samples, but I would still recommend it as the best introduction to those who need to get acquainted with its topic.
  • The Mistletoe Murder and Other Stories by P.D. James. Judging by this book P.D. James deserved her high reputation. Crime stories best read around Christmas, all of them superbly conceived and written. Highly recommended.

My plan for this year is simply to get into a habit of reading books again with a healthy mixture of fiction and non-fiction. No particular number in mind, but single digit would be disappointing as it would mean I again wasted too much stuff on mostly short fluff found on the net.

It would be great, if I managed to rise to last year’s challenge of reading a book in each to me familiar language, but probably won’t.

Related articles