What if your sensitive data gets exposed? A case for data security.

The complete life cycle of data management is rather broad, and in a sequential order I can list them as follows:

1. Data collection, because data must be collected before you can think of doing anything else with it.
2. Data storage: data must be stored somewhere - most logically in some electronic form (structured database, text form, binary form, etc).
   
3. Data extraction /  processing / analysis: to organize and bring out hidden insights from the data.
   
4. Data quality control: to assure quality of the data.
   
5. Information dissemination (reporting, business intelligence, visualization, etc).
   

Throughout the above processes, it might be important to ensure that your data is secure - in terms of controlling who can have access to the data, and who can do what with the data. You do not want just anyone to have read or write access to highly confidential patient data, bank account data, company financial data, school students data, etc. The list is endless.

If data must be collected and stored in an electronic medium, then we cannot avoid talking about an electronic software application to manage that process ... and more often than not, we could be talking about some web-based system. The moment we talk about a web-based system, then we open ourselves to the opportunities and challenges of the web. One critical challenge of the web is data security.

With multitudes of web-application frameworks abound, it is can be easy for any developer (or possibly anyone) to develop some kind of web-application that is able to collect, store and manage data. If such a system is locally available within an enterprise, and is not public-facing, then data security concerns may be minimal. However, if such a system is accessible via a public interface, then the level of security concern should not be underestimated.

In my experience, not many people are even aware of - or concerned about - the data exposure that web-applications bring about. Just to mention a few, attacks such as the following are too serious and too common to be ignored:

1. Cross Site Scripting (XSS), also known as script injection. This is where an attacker injects Javascript of HTML into a vulnerable input field.
   
2. Cross Site Request Forgery (CSRF). According to OWASP, this is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
3. SQL injection. This is where an attacker injects SQL script into a vulnerable input field.

All the above threats have grave potential local or global consequences on a website (or web-application). These are interesting security topics which have often featured in the OWASP Top 10 list. And they are easy to implement by an attacker as long as the system vulnerabilities exist, coupled with security-unaware users. Good understanding of these vulnerabilities would require knowledge of web-development, but end-users simply need to know how to use the internet in a disciplined manner. Until you understand these exploits, you may not be able to appreciate the everyday reality of the risks right at your fingertips.

Ask yourself how many spam emails you have ever received, or continue to receive on a daily basis. Have you ever imagined that such emails could be directly targeting your web-based application, either the application hosted by you, your enterprise, or even that banking application which you simply use as a customer? Depending on what application it is, you could count losses if a hacker decided to exploit that system. Some possible consequences of an attack could be illegal transfer of money from your account, illegal approval of an important transaction, stealing of password, introduction of viruses / malware, etc, etc.

There are two main players who can take control of the situation: the developer(s) of your application and you (the end user). Both of you should be well-versed with the techniques and counter-measures of the attacks listed above (and others). For starters, understanding cross site scripting, cross site request forgery, and SQL injection will put you miles ahead of the game. 

A developer should take it upon themselves to design a system that seriously takes into account security vulnerabilities.If you are a developer and you haven't yet understood the security considerations above, then it is good to assume that your system is unsafe. For starters, a developer should take the following basic measures:

1. Cross Site Scripting (XSS), also known as script injection:
•  sanitize/validate html input (request) before processing, paying more attention if such an input is included in the response (output)
  
2. Cross Site Request Forgery (CSRF)
•  use csrf token; 
• avoid using GET method for for state-changing requests (this can prevent use of exploit URL, but an attacker can still use Form tags)
  
3. SQL injection
• use parameterized SQL statements or stored procedures;
  
• avoid using raw SQL queries
  

For the above measures, it helps if a developer uses a well-tested development Framework with strong security implementations. For instance, in the case of Flask (Python), use of standard libraries such as SQLAlchemy, Jinja, WTForms, etc is recommended. Avoid using older interfaces. If possible, allow a security expert to test your system before deployment.

An end user should exercise discipline while using web-applications and the internet generally because many attacks use social engineering to lure you to do something that triggers an attack. For instance:

1. DO NOT open emails and links that you are unsure of. These can be just a bait to lure you to an attack.
2. Always log out of sensitive websites e.g. banking website before visiting another website or immediately after performing your transaction (this can prevent CSRF attacks)
   

Sometime in the future, I hope to pick one of the three threats above and give a detailed account, with examples. Meanwhile, from now on, just know that you are exposed as long a you use some web-application (or the internet for that matter). Good luck and be safe.

Web Scraping with Python (BeautifulSoup and Pandas)

Imagine that everyday at a certain time of the day you have a task to manually visit a certain website to check the Forex rates of specified currencies against your local currency. For instance, assume that your local currency is UGX, and the foreign currencies are AUD, GBP, EUR, NZD, and USD.

There is no doubt that the above task can be time-consuming even just the way it is. But now imagine that in addition to visiting the website, you have additional tasks to get the rates, save them in a local file on top the historical rates, and plot a chart to see the trend. This certainly becomes more time-consuming, and even complex.

What if I tell you that this series of tasks can be automated and delivered right to your mailbox through web scraping without your intervention? Just imagine how much time you would save everyday, and the time saved can be used more productively elsewhere. The reality of life is that most people, in spite of technological advances, still go through the manual way of doing things. And this is just an example. One excellent use-case is tracking daily COVID-19 rates.

Enter web scraping with Python. I recently developed two similar web scraping systems for Forex rates and Weather (using Open Weather site). Both websites offer very accurate global data, with up to one hour update intervals.Of course, there are considerations to make before you web-scrape a website, otherwise you could be rocking the boat (legally). The bottom line is to check and confirm that web-scraping is allowed on the website before you do anything.

For web scraping, we can use any of the following Python libraries: Selenium, BeautifulSoup, or Pandas. Having used Selenium for interactive web automation before, this time I chose to use both BeautifulSoup and Pandas separately, but obviously they return same results. In this post, we are not using Selenium, but for those who may not know, Selenium allows you to automate actions on a website. For instance, you can write a Selenium script to log into a web page, click a link for reports, click another oink for emailing the report to you ... but that is for another day.

Using BeautifulSoup and Pandas (each in its own right), below are some screenshots of the results. As usual, you can find the code in my GitHub repo.

 

Table of raw Forex rates data scraped from the website

Table of processed Forex rates data ready for plotting

 

Chart showing trends of Forex rates using MatplotLib