Home

How to build more security into your website PLUS free checklist

Author: Sonu Rathore | Categories: Websites, Information Security, Website Security

According to the 2015 Sophos Security Threat Report, on average 30,000 websites are hacked every day. Cyber hackers look at multiple channels and ways of stealing information from your website by infiltrating your infrastructure or even getting information through social channels.

Protecting your site is a complex challenge. From building a secure platform, to ensuring that all contributors and content editors are aware of risks – and following controls to minimise risk.

When it comes to making your website as secure as possible we recommend you establish a good foundation of policies, processes, applications, tools, infrastructure, awareness, and training. Sound complicated? Each of these fall into one of the key areas of

  • Policies & Infrastructure
  • Application Security
  • Training on Security

Lets see below each one of these areas

1.  Policies & Infrastructure

Website Security Framework Checklist

As infrastructure grows, more organizations adopt cloud computing, and multiple integration points are introduced there are many aspects to manage. While building your security framework, examine the infrastructure for each of the below and review/write policies for each.

  • Network Security – Invest in a good firewall and update it regularly to stay protected

  • Server Security – Set-up Authentication and Authorization

  • Physical Security on data centers – Build in permission levels with Additional Access control

  • Mobile Security – Manage which and how mobiles devices access applications

  • Access Control and Authorization – Single Sign on and SSL Integration

  • Password management – One of the most common vulnerabilities, ensure you have a robust policy and use encryption

  • Cryptographic Controls – Key management, how to manage keys for encryption

"If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology"
- Bruce Schneier

2.   Application Security

Hackers, scammers and bots are attacking the Internet, trying to disrupt services or steal data. More than 50% of all successful data breaches involve applications running on web. Why? Research shows that less than 10% of organizations take care of security processes and reviews while building applications. And very few organizations use security testing tools or third party testing to evaluate vulnerabilities on web applications.

This means that, if your company is using or building their own application  – in particular an ‘agile’ or minimum viable product (MVP) – your whole web infrastructure could be exposed. As hackers often target application vulnerabilities.

The OWASP (Organization for Web Application Security) rates the Top 10 Vulnerabilities as :


Web application security, Security management, Hacking

We’ve broken down each of these threats with an explanation of the risks involved and how you can mitigate them.

Top Website Threats And How To Protect Against Them

a) Cross Site Scripting (XSS) 

The main threat of XSS is that cyber hackers could steal user sessions, deface websites, or even introduce worms, etc. This flaw is due to improper validation of data supplied by user. If an application takes data and sends it to a browser without validating or encrypting the data, content security could be breached.

b) Malicious File Execution

Code that is vulnerable to Remote File Inclusion (RFI) could allow attackers to add hostile data and code to your website. This would result in any number of attacks. These attacks can affect XML, PHP or any framework that accepts files or filenames from users.

c) Injection Flaws

The potential threat with this flaw is that an attacker could change the application into executing unrequired commands or changed system data.

Flaws, particularly SQL injection, are very common in web applications. Injection occurs when user data is send as part of a command or query.

d) IDOR-Insecure Direct Object Reference

Flaws, particularly SQL injection, are common in web applications. Injection occurs when user data is send as part of a command or query. The threat with this particular flaw is that an attacker could change the application to start executing alternative commands or even change system data.

e) CSRF -Cross Site Request Forgery

CSRF can be as powerful as the web application that it attacks. This flaw might force a logged-in victim's browser to send already authenticated request to a vulnerable application. This then forces the victim's browser to perform a hostile action for the benefit of the attacker. 

f) ILIEH-Information Leakage and Improper Error Handling

With an ILIEH flaw attackers can steal sensitive data or conduct more serious attacks on a web application. Applications can unintentionally provide information about their configuration, about internal workings, or can violate privacy through a number of application problems.

g) BASM-Broken Authentication and Session Management

This happens when session tokens and account credentials are not protected. Once in, attackers can compromise keys passwords or authentication tokens to find and exploit other users.

h) ICS-Insecure Cryptographic Storage

This defect is due to web applications not using cryptographic functions to protect credentials and data. The threat comes when attackers use poorly protected data to conduct identity theft and other crimes, like credit card fraud.

i) IC-Insecure Communications

This is due to a failure to encrypt network traffic to protect all sensitive communications. It's then possible for sensitive information to leak out over the network communication infrastructure.

j) FRUA-Failure to Restrict URL Access

This occurs when applications only protect sensitive functionalities when preventing the display of links or URLs to unauthorized users. It gives attackers the opportunity to perform unauthorized operations by accessing URLs directly without common flow.

Prevention is better than cure: 10 Ways to Build Website Security 

1. Data Encryption

Word “encryption” is used as a synonym for secure solutions, still the amount of stolen and deciphered credit card numbers are growing every year. Thus, an important question is which encryption technique to use and rather how to implement it properly.

2. HTTPS

Use SSL security protocol over an HTTP connection to reduce the risk of data being intercepted during online transfer.

3. Buffer overflow management

The input validation performed by developers have taken in consideration for constraints and validated for type, length, format and range. Code has been managed to ensure unmanaged APIs are validated.

4. Authentication and Password Management.

Cracking passwords is the easiest way for hackers to get into any system. Use strong passwords with a complex mix of upper and lower case letters, symbols and numbers. And update these regularly. Implement a rigorous policy to prevent people saving passwords on browsers and applications.

5. Authorization (Role based security)

This is one of the most important aspects to website security. There is standard encryption used to store sensitive data in configuration files and databases. The role based security should process low to high privileges.

6. Protection of Data

All stored data should be fully encrypted and the encryption key must be entered each time by the user, not to store on the device. Keep in mind what data you need to store - the less you store, the less you have to protect.

7. Encryption keys protection

It's not enough to rely on standard platforms, like Android's Shared Preferences file or iOS' Keychain, to protect encryption keys. Explore the possibility of storing the key, or any other sensitive information, off the device to remove any possibility of hacking.

8. Exception Management

The developers take shortcuts in managing exceptions. Ensure that exception handling has been used throughout application’s code base. Through validation has been made to all inputs data. The error messages returned are logged and are generic and harmless to the users.

9. Logging

Make sure there is no confidential information in the logs file generated. The best solution is to generate separate logs for debugging and release versions.

10. Remote wipe

Remote wipe is a useful and effective technique for data protection. Click here to get the official OWASP checklist of how to do it.

3. Training and Awareness

“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.” – Kevin Mitnick 

At the end of the day, the biggest risk in any organization is not technology weakness. It’s people. The IT department can build a robust security framework but if other employees – in particular editors, publishers, marketers etc. - are not aware of the vulnerabilities then they can inadvertently leave you exposed.

For example, cyber hackers typically work to get one user’s credentials, then work through the organization’s infrastructure to gain control. You may have a rigorous policy in place to prevent this but you will need to communicate and raise awareness via training.

The typical content of this training could include

  • Organization Security Policies – why the rules exist (they’re not just there to make life difficult for them to do their jobs)

  • Incident Management – how to report a security incident such as a lost phone, or a virus, and who to report it to

  • Password Management – it’s imperative you explain the need for strong passwords

  • How to avoid malicious software, spyware, malware –what it typically looks like including bogus emails, and dodgy file extensions

  • Secure browsing practices – what are safe sites, when is it OK or not OK to download files

  • Mobile device security practices including BYOD – even though it’s their own device, if they’re accessing company applications and services, then they need comply with security requirements

  • Secure use of social media

  • Access Control

  • Physical Security

  • IPR, Copyright

For more details check out our ebook on Website Security