|
|
|
How to Secure Your Company's Website
You may recall reading articles about how the website of a prominent
politician has been ‘hacked’ from outside and the site’s content altered
to ridicule the person. Or about how a government body’s website has
been sprinkled with pornographic images.
And more than just once the
credit card details of a firm’s customers have been stolen by criminals
hacking into its website. These attacks happen more often than most of
us realize, and it can certainly happen to your firm’s website as well.
Unfortunately most websites have been designed for their ‘look and feel’
rather than to maximize their security features. In software development
this is an open invitation to creating weaknesses that can be exploited
by skilled hackers.
There are steps you can take that will minimize the risks of this
happening, but it must be remembered that no defenses are foolproof; if
it can happen to some of the best-protected websites in the world it can
happen to anybody’s, including yours.
What Protection Do You Now Have?
Most firms have some form of password protection on their sites to
prevent unwanted people from gaining access to the information on it. Is
the password encrypted? How secure is your system for authenticating
visitors to your site and have you done all you can to ensure that only
the authorized person can gain access?
Do you have multiple layers of security on your website? The more layers
there are, the less likely it is that access from outside can be gained.
And have you restricted access to ‘secure’ areas of your website to the
absolute minimum? It’s easy for hackers to exploit the ‘holes’ that most
websites offer them.
Take the time to consult an expert in security, and spend what it costs
to add as many layers of protection to your website as you can afford.
If you think it’s going to cost too much, just work out the expense of
losing your client list or other confidential information and you’ll
quickly see that it’s a good investment.
Meet OWASP
One website you should visit is The Open Web Application Security
Project or ‘OWASP’ as it’s known. The OWASP Foundation (www.owasp.org)
is dedicated to finding and fighting the causes of insecure software.
Participation in OWASP is free and open to all, as are all the tools and
materials on its website.
On their website you can find ‘The OWASP Top Ten’ - a broad consensus
about what the most critical web application security flaws are. This
will provide you with a minimum standard for your web application
security.
The U.S. Federal Trade Commission strongly recommends that all companies
use the OWASP Top Ten and ensure that their partners do the same. The
U.S. Defense Information Systems Agency has also listed the OWASP Top
Ten as key best practices that should be used as part of the DOD
Information Technology Security Certification and Accreditation Process.
This list of the Top Ten vulnerabilities is a good place to begin
developing a system of security for your firm’s website. It’s fairly
technology-intensive but well within the understanding of any competent
software developer.
It’s a 24/7 Task
Be sure to monitor the security of your website 24 hours a day, seven
days a week. Attacks can come at any time and the faster they’re
detected, the better your chances of preventing the loss of critical
data or of damage to your site. Be sure that your website’s host can act
quickly to take the site offline if it’s attacked.
Be alert for updates and patches
to all your software. Many kinds of software allow automatic updates,
and this is a bare minimum to keep up with improvements in site
protection.
Have your site tested regularly by experts who will do all they can to
break into it. Every time they succeed it will highlight a vulnerability
that you will have to fix. New hacking techniques are initiated all the
time and what’s adequate protection this year will probably be
ineffective next year.
Any change to your site can create a new avenue for a hacker to enter
it. Even if your website has just been passed as ‘secure’ by a test,
re-test it immediately if there’s a new element or significant change to
your site architecture.
The security of your website is an integral element of protecting your
business. It’s not something that’s easy to acquire or manage, and it’s
certainly not cheap. But if you ignore the need for the highest-possible
level of protection it’s probably just a matter of time before a hacker
gets into it and causes damage.
|
|
