Are’nt you excited about acquiring your new web application? You’ve just finalized the QA phase of the app and it’s ready to deploy into production. All teams are ready and anxious. However many persons don’t consider some of the major threats that are lurking on the web, one is that of website security.
Website security in 2017 doesn’t only cover securing just the pages itself within the site, but to avoid unauthorized access to files and data. Web threats cover a wide gamut of threats, ranging from;
1.Denial of Service attacks
2.SQL Injection
3.Cross site scripting
4.Phishing
5.Brute force
6.Social engineering
Once these attacks occur they not only cause headaches, but these downtimes can lead to loss in online revenue, reduced customer retention, bad reputation, stakeholder defamation and the list continues. This therefore put strains on the business to implement business continuity strategies to reduce the impact of these issues. However before we experience these factors, we can implement strategies to prevent them. Here are some strategies;
This is typically the first layer of defense. This is about validating users who visit your sections of your site/app and ensuring they are able to access and manipulate sections authorized to those users. There are many ways to go about this, whether being a localized membership/authentication store, OAuth (Open authentication) using Google, Facebook etc., Active Directory (typically seen in Microsoft based environments) or LDAP (lightweight AD).
This is a protocol that provides security over the internet. This is a guarantee that users are communicating to legitimate servers and no intrusion can occur between the communication channels. This is a essential approach to avoid snooping and cookie-injected attacks
This is a standardized method of encrypting the channel between the client browser and the web server. This procedure preserves the integrity of the data upon each request and response to and from the server. There are several tiers of SSL each providing higher level of security than the other.
SQL is the means of reading and writing data to tables within the database. However many times, these tables are compromised by malicious SQL scripts that aim to manipulate unauthorized data. Therefore it is suggested to use parameterized values to store data being passed within a SQL script. This is a more cautious approach than concatenated SQL scripts that facilitates injection and adds vulnerability to your database tables.
Ensuring password complexity is a essential approach to improving website/web-app security. Although we don’t like to admit it,its a significant way for website hackers to penetrate a web-app through simple and easily guessed passwords. Therefore it is recommended to establish a required length and combination of required characters (either: alpha-numeric, uppercase letters and lower-case letters or mixed). Some developers even establish two-tier validation which involves requesting a password, as well as a secret question and answer.
This factor is taken for granted and is a primary way for malicious users to upload files containing Trojans to your web server. Ensure that you establish a list of accepted file types that can be uploaded without compromising the safety of the web server. In some cases it is avoided altogether and a FTP is used instead.
This is a way that hackers malicious ham your website/app by modifying the behavior of the page. This is done by manipulating the Javascript code that can control certain events on the site. Hackers can manipulate page information and steal information from a person who inputs data in a form etc. This can be done either by recreating a whole new page itself or a new section on an existing page. While there are best practices on how to write robust Javascript code, there are also toolboxes that help to prevent these XSS occurrences.
Sometimes the simplest way to reduce web security threats is to educate users on best practices on how to interact with your app. While approaches might differ depending on the environment, as in a corporate environment typically have a training team that provide guidance to users of the software versus. Websites/apps that is available to the public. In the latter case you can simply guide your users by providing easily understandable instructions on a form, for example “Use alphanumeric (A-z!@#$) characters when entering passwords”.
Depending on your organization, you may need to have an log of all user transactions occurring/occurred on the site. This would involve setting up an audit log to record these transactions and allow it to be easily retrieved at any time.
In the nature of this business IT, failures and disruptions are inevitable. Therefore it becomes necessary to have a backup plan, or even TWO. With this strategy in mind, business continuity is enhanced and system downtime is reduced. This makes your life so much easier in the future.
Thanks for reading.