Guest post by Brian Pearce
Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates, and website coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.
Websites and the servers that host them are vulnerable to attack, and so too are the networks that are connected to them. Security holes in sites created by human error or application vulnerabilities are a source of trouble for the entire enterprise.
Is Your Site And Network At Risk?
Web security is relative and has two components. The potential for serious attention by a seriously dangerous attacker is relatively low if network resources don’t have high financial value, the company and site are low profile, the web server and applications are patched and configured correctly, and the site coding is solid.
The potential for loss due to attack is higher if the company has financial assets like credit card data, intellectual property, or identity information, the web site content is controversial or high profile, the servers, applications, and site code are complex, old, or are maintained by an underfunded or outsourced IT department.
Web Security Risk – What, Me Worried?
If a company has assets of importance or its network contains materials that are significant enough to be in the public spotlight then most likely your web security will be tested, intensively.
It’s well known that complicated software creates security issues. The number of bugs that could create web security issues is directly proportional to the size and complexity of the web applications and the services running on the web server. Basically, all complex programs either have bugs or at the very least, weaknesses. Web servers are inherently complex programs and with web sites intentionally inviting more interaction with the public, the chances of there being a vulnerability grows almost exponentially.
Technically, the programming that increases visitor interaction, also allows more applications and SQL commands to be executed on the web and database servers. Any web-based form or script installed at the site may have weaknesses that will present a web security risk. The balance between allowing website visitors all the access they need for complex interaction, and keeping unwanted input out of the network is a delicate one.
Web security issues are faced by site visitors as well. A common web site attack involves the silent and concealed installation of code that will exploit the browsers of all future visitors. At any one time, there are thousands of websites out there that have been compromised without the knowledge of the site owners and that are each putting their visitors at risk.
Web Server Security
The world’s most secure web server is the one that has been turned off. Bare-bones web servers that have few open ports and few services running on those ports are the most secure. But that is not an option for most web sites. Powerful and flexible applications are required to run complex sites and these call for many layers of applications and services and are naturally more vulnerable to web security issues.
Any system with multiple open ports, many services running, and multiple scripting languages is vulnerable simply because it has so many points of entry to monitor.
If a host operating system has been correctly configured and the IT staff has been punctual about applying security patches and updates, then the risks are minimized. The applications that are running the site also require frequent updates.
Web Site Code and Web Security
The purpose of a site to provide an open and welcoming communication channel to its visitors.
The web site visitor who takes some action on the site is effectively sending a command to or through a web server, often to a database. With each communication, such as through a form or a search field, correctly written code will allow only a very narrow range of commands or information to pass through. This is ideal for web security. But ideal, tight limitations being defined in site code are not automatic. Site code written with security in mind requires well-trained programmers a good deal of time to write so that the site will allow expected data to pass and filter out all potentially harmful data.
And there lies the problem. Coding on any given site has often come from a variety of programmers, some of whom work for third party vendors over a period of years. Sometimes the code libraries used are very old. The site might be running software from half a dozen sources. And when changes are made later, the new code can open the site to vulnerabilities.
Many servers have accumulated applications, packages, libraries, etc. that are no longer in active use but are running in the background. This hidden code is not easy to find and may not have been patched or updated for years and it may be exactly what a hacker is looking for!
Web Security Using a Web Site Security Audit
The best defense against an attack on a web site is to run current, patched applications that have been coded well and are then regularly scanned.
Web site security audit providers have been accumulating known web site issues for many years and have compiled databases of security vulnerabilities. Each vulnerability is a known combination of web site weaknesses and by examining a server for the specific open port, available service and/or code, it is not hard to determine if a server is vulnerable to attack.
In a matter of hours, a web site scanning company can run its entire database of thousands of web vulnerabilities on every dynamic page and can report on which vulnerabilities are present and confirm the thousands that are not. Armed with this important data, the IT administrator can address the proven web security vulnerabilities and fix the security holes.
These scans can be conducted on a regular basis to catch new vulnerabilities as they become known or to spot new unsecured code. Also, if a new port has been opened or a new service has been loaded, a notification will be done, thus offering the preemptive prevention against threats.
In a complex and large web application that gets new material daily, a daily web scanning may be the ONLY way to ensure that none of the many changes made to site code can create an opening. Prevention is the key and while nothing can guarantee a complete defense against malware, hacks, and/or internet viruses, one can still have the peace of mind knowing that there is a solution, and it’s not hard to put into place.
About the Author – Brian Pearce has 8 years’ experience in Security and over 25 years of experience in Operations and Marketing in technology, internet retail, and franchising. In addition to positions with Memorex and Intel he was a co-owner of an international franchise network, a principle hire in a string of successful new business ventures and a founding partner of one of the first Internet advertising agencies that served Microsoft and dozens of dot.com startups in the San Francisco area. He is currently the COO and CMO of Beyond Security, a leading developer of Vulnerability Management solutions for networks, and Black Box (DAST) and White Box (SAST) testing solutions for certification centers and application developers.