Even though we all know that having a secure and reliable website is crucial for building an image of a trustworthy company it is common to neglect the aspect of making sure that the produced software is well tested and secured properly. It probably comes from the urge of minimizing the Time-to-market or introducing as many functionalities as possible in the shortest time possible. It is important to note, that the process of securing the software is a much more broad aspect than simple bug fixing and eliminating vulnerabilities. It is a long-distance process from the design phase through the development until the very last – operation phase. One of the most important factors affecting security is the maturity level of the software development processes used in the company. Everyone knows that security is important, but not everyone takes the necessary measures to make sure that the right level of security is achieved.
What about a static website?
The First and most important question is what are the requirements for the website? If the company only needs an informational site, then there is no need to create a complex, dynamic and what becomes – more vulnerable website. Static websites don’t allow interaction between users and the content thus minimize the possibility of being attacked. It is also the cheapest solution allowing for easy setup and leaving the website as it is, not being forced to maintain it, constantly checking for possible security updates among other mandatory actions. In other words, static websites may give you a limited set of functionalities, but also drastically decrease the possibility of being hacked and the amount of work required for maintenance. If the only need is to display information and not necessarily allow people to comment, log in or manage the content of the website – this could be the best choice.
If however, a dynamic website is needed, there are several basic things worth noting before thinking of securing the website. We tend to imagine hackers as masterminds trying to hack a website using advanced mathematical and engineering skills. This could be true a few decades ago, but now the reality is quite different. Most ‘hackers’ are just ‘kiddies’ playing with available tools allowing automatic vulnerability discovery. Usually, the tool needs to have a graphical interface, be free and easy to use, since ‘script kiddies’ as they are called are not technically advanced people. Even though this doesn’t require much knowledge it can be dangerous for some websites. So the first and most basic security measure, that everyone should take is just scanning their own website with automatic tools to find the most crucial bugs that need to be fixed. Even better would be to use several tools just to protect the website from the most common attacks. Such an approach doesn’t give certainty, but definitely increases the level of security.
Best practices on web apps
One of the tools that allow automatic vulnerability discovery is OWASP-ZAP. The user only has to pass the address of a website and click start – simple as that. But let’s not be fooled by the simplicity – the tool is powerful and can find potential vulnerabilities in the website using advanced rules. It is not only recommended but even required to perform automatic security tests to identify possible vulnerabilities in the developed web app especially bearing in mind that it doesn’t cost any money and almost no time is required – everything is automatic (maybe except the fixing part).
Apart from checking for vulnerabilities, there are rules that need to be followed during the development process. The already mentioned OWASP Foundation publishes the famous document “OWASP top 10 Most Critical Web Application Security Risks” which is describing the most critical and most recent security risks. It is very important to read and get the sense of the document – it raises important security practices and how to avoid basic mistakes when creating common mechanisms in applications (there are also similar documents covering different areas such as mobile, etc.). Following the rules presented in ‘OWASP top 10’ allows developers to greatly improve the level of security.
Lastly, it is also worth noting that there is no such thing as “absolute security”. We can only think of a “relative security” meaning that we can always make the software more secure, but it is always the cost that is limiting us. In other words, we want to secure our application in such a way so as the cost of compromising it would be greater than the value of what we are trying to protect. Of course, we are not only talking about a real value of e.g. data that we’re storing but also about a revenue loss that is associated when a system is not operational (e.g. After a DOS attack). Some companies even introduce a “bug bounty” program (similar to the well-known bounty programs from the westerns) which basically allows people to get rewarded for finding a vulnerability and reporting it to the company itself. Such programs are to encourage the community of doing the right thing – reporting the bug instead of exploiting it. But the existence of such programs and the fact that companies usually are proud of having those only proves that no matter how much money we spend on securing the software we have to acknowledge that it can always be possible that something was missed. We should always aim higher and never stop taking care of security.