Youness El Andaloussi

Senior CSM/CSPO Software Developer

Certifications

Certified Scrum Master

Certified Product Owner

Project Management (PMP)

Leadership

30+ team Coordination

Integration

Roadmapping

Soft Skills

SDLC

Agile

Waterfall

CICD

Stakeholder management

Requirements, Design documents

Release Management

Devops

Architecture

Distributed Systems

Design Patterns

SAAS

Multitenant

Infrastructure as code

Scaling

Caching

Cloud

Reliability

Provisioning

Databases

MySQL

MongoDB

PostGres

Query Optimization

Software Development

Algorithms
Web Apps
APIs
Processes
Sockets

Lamp Developer

Linux
Apache
PHP/ Python

Python Development

SQLAlchemy, pymongo
Django, Flask, Bottle
paramiko, urllib, multiprocessing
nosetests,pylint,pep 8

Team Development

GIT, Subversion
Vagrant, Fabric
Jenkins
Jira, Liquidplanner, Bugzilla

Scaling

Query optimization
Distributed systems
Socket programming

Custom Linux Distributions

Writing installers
Anaconda Customization
ISO customization

Cloud & Virtualization

AWS
Azure
ESXI
KVM

Development

Object Oriented
MVC With code igniter
DB with MySQLi
E-Commerce

Web Pages

Nosql

Mongodb
Map/Reduce

Network Monitoring

EM7
Nagios
SNMP
Custom development

CMS

Drupal
Wordpress
Custom Made CMS

Coldfusion to

MS SQL to
Cold Fusion to Wordpress
Cold Fusion to pure PHP

Databases

Database Administration
Query Writing and optimization
Replication, Galera
Procedures, Joins, Views, Triggers

Linux Admin

Install & Configuration
Shell Scripts
Cron Jobs
Command Line interface

Apache Admin

Server Configuration
.htaccess rules
SSL Certificates & DNI
Problem troubleshooting

Platforms

Redhat/Centos
Debian/Ubuntu
Windows
MacOS

To start the game press Enter.

Arrow keys: left/right.
Spacebar: rotate.
[ESC]: End game

Security is not optional on public Facing Sites

Today I saw an interesting statistic on slashdot: Over 200000 database servers with no authentication, over one petabyte of data access. Earlier this year, there was a post about how many people accidentally post their aws keys to github without realizing they've just opened themselves to potential charges with automated network scanners.

An increasing number of people put their servers online without any security and put passwords/keys online. A lot of hacks are a result of careless mistakes/ skipping security altogether.

Some would argue that the data on some servers is less confidential than others or a cloud server that will be up for a short time is not as much of an issue but as technology evolves, there are more and more money incentives to hacking systems, one should expect more intrusions and more sophisticated attacks.

Further, security is as strong as the weakest link in the chain and a compromise on an unimportant server that may seem harmless may end up costing much more than expected. For example, I have seen servers that were never meant to be online may end up opening wide open a whole secured network. Sometimes, temporary solutions end up lasting much longer than initially planned. As a result, since security was overlooked because the solution was never meant to last, the whole network is wide open.

Obviously, there can be no guarantees that a zero day exploit will expose a network to malicious attacks but if there is no security, it is even worse and consequences are potentially catastrophical.

Many guides to securing servers exist and this is obviously not meant as an depth security manual. As a matter of fact, the advice below should be common sense and already be in place but I have seen these basic rules ignored too many times, so here are things you should already be doing:

Keep your server up to date - that includes os updates and software updates. This should be obvious but way too many times, I have seen servers that have not been updated for over a year for no good reason whatsoever
Make sure authentication is turned on wherever it needs to be - that includes databases servers, smtp servers, no default users, restrict users to only the permissions they need (For example, if you have a wordpress website, there is no reason for it to use the root mysql credentials. A mongodb admin account that can be accessed from anywhere without a password is obviously a big no no as well)
if a service is not necessary, don't have it on by default - The less services you have available, the smaller the network footprint and the less likely one of the services will be vulnerable - either because it is misconfigured or because of a zero day vulnerability.
Make sure api key, credentials and sensitive information is not available publically on sites like github. With many search engines crawling the web automatically on a daily basis, putting them on any directory that can be indexed is looking for trouble as well
Make sure you have a backup of your data and do not hesitate to bring the server offline/ reinstall if necessary - if a server is compromised, simply changing the password and putting the server back online is not going to cut it.
Have sensible firewall rules - multiple times, I have seen firewalls disabled during development time and never turned back on.
In any application, trust no input. This can avoid the most common vectors of attacks - sql injection, css injection, buffer overflows and abuses due to invalid input. This includes validating the input both in the backend and the frontend.
If you are using linux, SELinux is your friend. Too many times, I have seen SELinux disabled just to save a little time in configuration. This will help mitigate damage even if a hacker gets in.
Change passwords regularly and they should not be easily guessed. With brute force tools commonly available, many attacks start with a weak password.
Have sensible monitoring of both your services and your logs. If you only have one server, then you could get by with manually auditing things but with multiple servers you'll need either a log ingestion engine or some way to automatically parse/filter relevant information

As I said earlier, there are plenty of more complete guides on securing servers but this is more of a reminder of what you should be already doing.

Fun Fact

It helps to look ahead and visualize where you want to be. A year from now, what would you have wished you did today?

When a door closes, at least another opens... the problem is we focus too much on the first door to see the others open

When they ask me what I do, I say whatever it takes. You have to be willing to go the extra mile on your path to success

A record company told the Beatles they were no good, they sounded old & boys band were a thing of the past. Persist, do something awesome

Discipline is the bridge between goals and success - Jim Rohn

To excel is not a destination but a constant voyage - Brian Tracy

Proceed as if success is unavoidable. A lot of our limitations exist only in our minds

Before being an entertainment mogul, Walt Disney was fired for a lack of imagination. Persisting always yields results

One of Edison's teachers said he was too stupid to learn anything. A healthy self esteem is key for success

Henry Ford went bankrupt 5 times before he succeeded. Never let failure discourage you

The first person who hired Elvis Presley as a singer fired him the first night, recommending he give up music for a different profession

One of Einstein's teachers said he was a lost case, too slow and stuck in unrealistic dreams. Never let someone else's opinion let you down

Tolstoy failed university. They told him he was not capable of learning. Never let failure stop you on the road to success

When he started, studios told Charlie Chaplin what he did was nonsense. With persistence, a legend was born

Leonardo de Vinci has never been to school. Always respect knowledge but remember success is not limited to degrees

One of Bethoven's professors told him he was a pathetic composer. He proved him wrong even if he was deaf

Be passionate, always. Even if Van Gogh only sold one painting while alive (to his sister), he painted over 800 paintings

Never push back to tomorrow what can be done today

Who risks nothing, begets nothing. Sometimes, taking a calculated risk at the right moment makes all the difference

The best way to predict the future is to invent it - Richard Bandler

As your self esteem improves, your performance increases too - Zick Ziglar

What drowns people is not the jump itself but staying under water does - Paolo Cuelho

With enough persistence, nothing is impossible. Wherever there is a will, there is always a way

Petit à petit l'oiseau fait son nid. Rien n'arrive du jour au lendemain et persister permet d'arriver à ses fins

There is only one way to fail, give up before succeeding - Olivier Lockert

Do not be afraid of being slow, be afraid only to be at a standstill - Chinese proverb

The word chance is synonym to tenacity of goals - Ralf Waldo Emmerson

Today is the first day of the rest of your life, a brand new chance to excel. It is never too late to be what you might have been.

No one can know what they really capable of until they try

No extraordinary person complains about the lack of opportunities

Never be afraid of failure. If you want to double your success rate, you have to double your failure rate - Brian Tracy

If 'O' stands for Opportunity, it's absent in 'yesterday', once in 'tOday', thrice in 'tOmOrrOw'. There's always opportunities waiting tomorrow.

It is not the number times we fall that matters, it is the number we get back up... because in the end what matter is that we are standing

After how many times should a baby trying to walk give up? Obviously none. Giving up is not a trait we are born with - Anthony Robbins

It is better late than never... and it is never too late to be what you might have been

To be strong cant be equated with physical force but it is more about having a never failing willpower - Ghandi

No obstacle is unsolvable. It is about dividing each difficulty int as many subdivisions necessary to succeed - Descartes

The best way to start is to stop talking and start doing - Walt Disney

Always remember that all those at the top all started and the bottom and persisted until they got their way

It is nice to have what you want... but meanwhile, always remember to want what you have

More often than not, we are limited by our attitude and not by the opportunities that come to us

It is the little details that make a huge difference. Going the extra mile and making an extra effort change everything - Mark Tway

To have a list of goals is key in life... otherwise how will you ever know you got to where you want to be?

Failure is the foundation of success and it is by failing that we build - Lao Tzu

Many times, the one who tries to do too much ends up doing very little - make priorities, focus and get things done - Italian proverb

The past is behind use, future is very unpredictable. That is why it is important to focus on the present

Be at peace with yourself... if you can't trust yourself, why would others do it?

A list of goals that is not written down is like a wishlist

To succeed, it is key to have alist of goals and remember that for everything there is a cost... and it is not always money

Obstacles are these horrible things in life that we see when we get our eyes off of our goals

The best opportunities in life go to those who make sure that things get done while owning up to their responsibilities - Napoleon Hill

Time is more precious than gold. We can always get more money but wasted time can never be gotten back

Do not attempt to do too many things. The best way to get many things done is to focus on one thing at the time - Mozart

Life is a never ending cycle that keeps repeating - every time is an opportunity to fix previous mistakes you made and do things differently