Security on the Web
Tuesday, March 15, 2016
Web Security has two components, internal and public. Internal being the network where your website or application is hosted and public being any vulnerabilities in the code that your website or application is built with. Your security is high if you have limited network resources of financial value, your site isn’t controversial, your network is set up with tight permissions, your web server is patched up to date with all settings configured correctly, your applications on the web server are all patched and updated, and your web site is coded to high standards.
Your security is lower if your company has credit card information, your content is controversial, your servers, applications, and code are complex or old and are maintained by an underfunded or outsourced IT department.
Poorly written software creates security issues. The bugs that could create web security issues are directly related to the complexity of your applications and server. All complex programs either have bugs or weaknesses. Web servers are inherently complex programs. Web sites intentionally invite interaction with the public.
Technically, the very same programming that increases the value of a web site, also allows scripts or SQL commands to be executed on your web and database servers in response to visitor requests. Any web-based form or script installed at your site may have bugs and everyone presents a security risk.
Contrary to common knowledge the balance between allowing web site visitors some access to your resources through a web site and keeping unwanted visitors out of your network is delicate. There isn’t one setting; no single switch to throw that sets the security hurdle at the proper level. There are dozens of settings if not hundreds in a web server alone, and then each service, application and open port on the server adds another layer of settings. Then, the web site code... you get the picture.
Now consider visitor permissions. The number of variables regarding web security rapidly grows.
Web visitors may be faced with security issues. Common web site attacks involve silent and concealed installation of code that will exploit the browsers of visitors. Your site is not the end target at all in these attacks.
Powerful and flexible applications are required to run complex sites and these are inherently more subject to web security issues.
Any system with multiple open ports, multiple services and multiple scripting languages is vulnerable simply because it has so many points of entry.
If systems have been correctly configured and the IT staff has been diligent about applying patches and updates your risks are mitigated. The applications you are using need to remain updated. In every place that interaction is possible you have potential vulnerability. Web sites often invite visitors to:
In each opportunity to communicate, such as a form field, search field or blog, correctly written code will allow format or cleanse the code to prevent attacks. This is ideal for web security. However, these limits are not automatic. Programmers spend a good deal of time to write code that allows all expected data to pass and disallows all unexpected or potentially harmful data.
Code on your site can come from a variety of programmers, some of whom work for third party vendors. Your site may be running software from half a dozen sources, and then your own site designer or developer have each produced more code of their own, or made revisions to another's code that may have changed previously established web security limitations.
Many servers have accumulated applications that are no longer in use and with which nobody on your current staff is familiar. This code is often not easy to find, is about as valuable as an appendix and has not been used, patched or updated for years - but it may be exactly what a hacker is looking for!