Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and website coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.
Websites and the servers that host them are vulnerable to attack, and so too are the networks that are connected to them. Security holes in sites created by human error or application vulnerabilities are a source of trouble for the entire enterprise.
Is Your Site and Network at Risk?
Web security is relative and has two components. The potential for serious attention by a seriously dangerous attacker is relatively low if network resources don’t have high financial value, the company and site is low profile, the web server and applications are patched and configured correctly, and the site coding is solid.
The potential for loss due to attack is higher if the company has financial assets like credit card intellectual property or identity information, the website content is controversial or high profile, the servers, applications and site code are complex, old or are maintained by an underfunded or outsourced IT department.
Web Security Risk – What, Me Worried?
If a company has assets of importance or its network contains materials that are significant enough to be in the public spotlight then most likely your web security will be tested, intensively.
It's well known that complicated software creates security issues. The number of bugs that could create web security issues is directly proportional to the size and complexity of the web applications and the services running on the web server. Basically, all complex programs either have bugs or at the very least, weaknesses. Web servers are inherently complex programs and with websites intentionally inviting more interaction with the public, the chances of there being a vulnerability grows almost exponentially.
Technically, the programming that increases visitor interaction, also allows more applications and SQL commands to be executed on the web and database servers. Any web-based form or script installed at the site may have weaknesses that will present a web security risk. The balance between allowing website visitors all the access they need for complex interaction, and keeping unwanted input out of the network is a delicate one.
Web security issues are faced by site visitors as well. A common website attack involves the silent and concealed installation of code that will exploit the browsers of all future visitors. At any one time there are thousands of websites out there that have been compromised without the knowledge of the site owners and that are each putting their visitors at risk.
Web Server Security
The world's most secure web server is the one that has been turned off. Bare-bones web servers that have few open ports and few services running on those ports are the most secure. But that is not an option for most websites. Powerful and flexible applications are required to run complex sites and these call for many layers of applications and services and are naturally more vulnerable to web security issues.
Any system with multiple open ports, many services running and multiple scripting languages is vulnerable simply because it has so many points of entry to monitor.
If a host operating system has been correctly configured and the IT staff has been punctual about applying security patches and updates, then the risks are minimized. The applications that are running the site also require frequent updates.
Website Code and Web Security
The purpose of a site to provide an open and welcoming communication channel to its visitors.
The website visitor who takes some action on the site is effectively sending a command to or through a web server, often to a database. With each communication, such as through a form or a search field, correctly written code will allow only a very narrow range of commands or information to pass through. This is ideal for web security. But ideal, tight limitations being defined in site code are not automatic. Site code written with security in mind requires well-trained programmers a good deal of time to write so that the site will allow expected data to pass and filter out all potentially harmful data.
And there lies the problem. Coding on any given site has often come from a variety of programmers, some of whom work for third party vendors over a period of years. Sometimes the code libraries used are very old. The site might be running software from half a dozen sources. And when changes are made later, the new code can open the site to vulnerabilities.
Many servers have accumulated applications, packages, libraries, etc. that are no longer in active use, but are running in the background. This hidden code is not easy to find and may not have been patched or updated for years and it may be exactly what a hacker is looking for!
Web Security Using a Website Security Audit
The best defense against an attack on a website is to run current, patched applications that have been coded well and then regularly scanned.
Web site security audit providers have been accumulating known website issues for many years and have compiled databases of security vulnerabilities. Each vulnerability is a known combination of web site weaknesses and by examining a server for the specific open port, available service and/or code, it is a not hard to determine if a server is vulnerable to attack.
In a matter of hours, a website scanning company can run its entire database of thousands of web vulnerabilities on every dynamic page and can report on which vulnerabilities are present and confirm the thousands that are not. Armed with this important data, the IT administrator can address the proven web security vulnerabilities and fix the security holes.
These scans can be conducted on a regular basis to catch new vulnerabilities as they become known or to spot new unsecure code. Also, if a new port has been opened or a new service has been loaded, a notification will be done, thus offering the preemptive prevention against threats.
In a complex and large web application that gets new material daily, a daily web scanning may be the ONLY way to ensure that none of the many changes made to site code can create an opening. Prevention is the key and while nothing can guarantee a complete defense against malware, hacks and/or internet viruses, one can still have the peace of mind knowing that there is a solution, and it’s not hard to put into place.