security

Websites and security, what you should be asking your developer

By Vicki Ball

Every website and application has vulnerabilities, and each of these vulnerabilities can expose your site or business to harm- be it through the loss of valuable data or damage to your company’s reputation if the exposure becomes public.


Generally speaking, website and hosted application vulnerabilities fit into two categories: security and availability.

Security vulnerabilities introduce the possibility of public exposure of sensitive data, either through deliberate or accidental means. Loss of availability can mean either permanent loss of data, or the temporary loss of service, i.e. the website is unable to be accessed.

Both kinds of vulnerabilities pose a risk to your business. In particular a security breach or an extended loss of availability could damage your company’s reputation or violate your clients’ privacy. The loss of data (either through theft or equipment failure) can also be detrimental and result in loss of business and damage to your company’s reputation.

Below we’ll explore the various vulnerabilities and issues your website can be exposed to, and what questions you should be asking your developer to ensure that they are being addressed. It’s not an exhaustive list, but it’s a strong place to start…

Security vulnerabilities

Security vulnerabilities can be physical (i.e. physical theft or breach of systems), or can involve the compromise of data or communications.

Physical security

Physical security relates to protection of the servers and components that host and support your website or application.

Physical security is important to ensure that only authorised personnel can access this equipment for approved purposes.

What to ask:

  • Where are your servers physically located?
  • What security systems are in place to protect them?

Data security

Data is the client and business data stored in databases and file systems. Data security involves not only access protocols (how the data is accessed), but also how the data is stored, i.e. encryption.

What to ask:

  • Is there a strict policy relating to password protecting all the systems and resources? Are both database and file system access protected by the use of strong passwords?
  • Is sensitive data, such as user passwords, stored in encrypted format using strong encryption algorithms?
  • Is sensitive data stripped out of log files, error reports and system support emails to protect the privacy of my business and customers?

Secure communications

When you or your clients access your website they are communicating with the application systems. Each time a user logs in, loads a webpage, fills out a form or clicks a link, information flows between the user and the web server.

While there is some level of standard security applied to these communications, they can be vulnerable to “eavesdropping”, i.e. when a third party intercepts these communications in order to discover passwords or other sensitive information. This vulnerability can be addressed by encrypting communications via https, a secure http protocol.

Another form of communication is when developers or support staff need to access the systems hosting your application.

What to ask:

  • Does my site need an SSL certificate and use of https?
  • If you access my website system and resources remotely, do you always use secure protocols such as ssh and scp?

Application level security

As well securing system infrastructure and communications, security policies can be extended to the application itself. These might include: implementing a password policy (such as requiring users select “strong” passwords that conform to certain rules), session timeouts that automatically log out inactive users, no sensitive information being stored in cookies, implementation of a security model that has well-defined user roles and access privileges.

What to ask:

  • If my website has user accounts, do we enforce a password policy?
  • What information is stored in cookies?
  • What features of my website’s security model help prevent unauthorised access?

Availability and service reliability

A web application is made up of several components: the application source code, the databases that store and retrieve data, the web services that serve the application via the internet, and the equipment that hosts these programs.

The equipment requires a specialised environment to maximise running efficiency, reduce the risk of breakdown and provide system redundancies so that a continuous high quality service can be maintained.

What to ask:

  • Does the machine my website is hosted on have redundancy systems such as RAID?
  • What is the machine’s bandwidth capacity? Are there any redundancy systems in place?
  • How has the environment been customised for these machines?
  • Are these machines monitored 24/7/365?

In the case of hardware failure or permanent loss or corruption of data, backups are required. Backups should be made of both data and source code so that the system can be quickly restored in case of a serious loss or failure.

What to ask:

  • Are there backups made of my website and data?
  • How often are these made, how long are they kept and where are they stored?
  • Do you keep backups of the source code as well?

Another important aspect of service availability is monitoring of the application so that those supporting the application can be made aware of any issues and take appropriate action. Monitoring should cover issues such as availability, performance and errors.

What to ask:

  • Do you monitor my website?
  • What aspects do you monitor- availability, performance and errors?
  • How soon will you know if something is wrong?
  • How will you respond?
| More
All tags

The Hypothetical Blog: Stark Raving Sane

April 05 Icons, icons and icons!

Building any kind of web interface, particularly one that requires any kind of human interactivity, will at some time utilise icons. Whether they be on buttons, used in headings, or tabs or panels, icons are like little visual pieces of informative haiku: small, succint and should make you smile.

more »

What We're Reading

Railscasts

In our opinion, Ryan Bates is something of a Rails stevedore: since March of 2007 he’s been packaging and delivering Railscasts to the interwebs on a weekly basis.

Available through iTunes or via download on the Railscast website, each episode lasts between five and twenty minutes, with shownotes and additional resources also available on the website.

more »