- Web Application Security: Basics
Web application security can be overwhelming for website owners and web developers alike. The methods and tools available to hackers seem to multiply by the minute and you can hardly open a newspaper or turn on the news today without hearing about another major computer system breach. With so many threats out there, what can average small business owners do to protect themselves from hackers waiting to steal their user database or deface their homepage?
First and foremost, you should consider what happens if your system is breached and a hacker gains access to your database. The more information you store in your system, the more information will be available to an intruder. Therefore you should only store the minimum amount of information that your application needs to function. Make sure that your web application never stores sensitive information (such as passwords, credit card information or login credentials to third-party sites) in an unencrypted form, i.e. in English or as plain text. Consider using third-party systems to store this information if you're not confident you can secure it adequately. Examples of such systems are authorize.net and braintreepayments.com for credit card information, or Facebook Connect and Google OpenID for login credentials.
Once you have made sure that you are storing only the data that your application needs, you can begin to educate yourself on the different types of attacks to which your website is susceptible. These attacks include SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and session hijacking, among others. The sheer number of potential vulnerabilities can be daunting at first; however each attack has a corresponding safeguard, so education is your best defense. Ask your web host if they use a Web Application Firewall (WAF) such as ModSecurity, which can sometimes help stop attacks that your application might not be able to block. Note: A WAF should never be used as a substitute for a well-secured application.
Website owners should make sure their website hosting company regularly performs updates to all software (including database servers, server-side scripting languages, and web server software). Additionally, if your site runs open source software (such as Wordpress, Drupal, Joomla or OsCommerce), be sure that you or your web developer keep your software up-to-date with the latest security patches.
Finally, any security system is only as good as its weakest link. Make sure you choose strong passwords for any accounts that have access to sensitive data (strong passwords are long, contain combinations of letters, numbers and symbols, and don't exist in any dictionary). Make sure you have an SSL certificate if your site accepts or transmits sensitive information, and force users to use secure (https://) connections on any associated pages. In addition you should run regular checks on any computers that access your web applications for spyware and viruses.
There is no silver bullet for web security, but with a little bit of background education and some careful planning you can head off the majority of attacks before they affect you and minimize the impact of a breach should your defenses fail.