35 lines
3.3 KiB
Markdown
35 lines
3.3 KiB
Markdown
---
|
|
title: Cyber Security Month 2016
|
|
date: 2016-10-01
|
|
subtitle: The best time to upgrade the security on my projects!
|
|
image: unsplash:flha0KwRrRc
|
|
tags: [security]
|
|
---
|
|
|
|
As it is [Cyber Security Month](https://cybersecuritymonth.eu/), now is the perfect time to work on improving the security on my websites, projects, and servers. But, upgrading them for now isn't good enough for me, I wanted to add a way of scanning projects automatically, to check for any new issues.
|
|
|
|
As most of my projects revolve around Javascript and Python, these are the languages I'll be concentrating on.
|
|
|
|
# Javascript
|
|
## Express Server
|
|
Express is one of the most popular JS servers, and fortunately, they have a [security guide](http://expressjs.com/en/advanced/best-practice-security.html), that contains some of the best ways to write secure servers. One of the best and simplest ways is to add the [helmet](https://www.npmjs.com/package/helmet) middleware, a combination of other middleware that drastically increase security. It's incredibly easy to add too, at just [3 lines of code](https://github.com/RealOrangeOne/host-container/commit/90adfd04aed2f2065d803623c297dc1a8ae71632)!
|
|
|
|
You can use [securityheaders.io](http://securityheaders.io/) to check if any headers are being sent by your server that shouldn't be, As well as see how you can improve. [Here's](https://securityheaders.io/?q=theorangeone.net&followRedirects=on) the report for my website, powered by my static server [tstatic](https://github.com/RealOrangeOne/tstatic).
|
|
|
|
## NodeJS Dependencies
|
|
One of the easiest ways to keep your code secure is to make sure your dependencies are secure. Fortunately there's a tool to check this, [nsp](https://www.npmjs.com/package/nsp). It checks the [Node Security Project](https://nodesecurity.io/) for known vulnerabilities, and reports them to you, as well as how to mitigate them.
|
|
|
|
### Checking for updates
|
|
Keeping dependencies up to date is generally a good thing, and likely to help with the above. Upload you `package.json` to [npm.click](http://npm.click/), and it'll tell you what's out of date, and what the most recent version is!
|
|
|
|
# Python
|
|
## Code
|
|
Any of the projects I work on that are more advance that a simple static server, are probably Django. Checking the python code itself is nice and simple thanks to [bandit](https://github.com/openstack/bandit). It checks your code to make sure you're writing it properly, catching errors, and using libraries securely.
|
|
|
|
### Dependencies?
|
|
As with NodeJS, there's a tool that checks dependencies for security issues. But, unlike `nsp`, [safety](https://pypi.python.org/pypi/safety) not only checks your dependencies, but also their dependencies, recursively.
|
|
|
|
It's also possible to check for updates using [pypiup](https://pypi.python.org/pypi/pypiup/). Working in much the same way as [npm.click](http://npm.click/) (and written by the same person), except it's a CLI rather than a website.
|
|
|
|
# Checking
|
|
To check your hard work has made a difference, [seositecheckup](http://seositecheckup.com/) contains a helpful section on security, as well as the previously mentioned [securityheaders.io](http://securityheaders.io/). I've enabled these tricks on my website, and you can see their results here for [securityheaders.io](https://securityheaders.io/?q=https%3A%2F%2Ftheorangeone.net&followRedirects=on) and [seositecheckup](http://seositecheckup.com/seo-audit/theorangeone.net).
|