Recent and continuous website security breaches on large organizations, federal government agencies, banks and thousands of companies world-wide, has once again verified the importance of website and web application security to prevent hackers from gaining access to sensitive data while keeping corporate websites as safe as possible. Though many encounter a lot of problems when it comes to web application security; it is a pretty heavy filed to dig into.
There are so many facets that it is difficult to know from where to begin. Below, we have assembled a brief 7-point list that should give you a good place to begin.
1. Avoid Shared Hosting
Shared hosting and web application security are opposites. Shared hosting solutions are incredibly cheap, if not free, so they find themselves quite common among small businesses that do not know of the potential dangers of using shared hosting. For example a new start-up company builds a new website to advertise their new innovative software but due to limited budget they are forced to use shared hosting. They are not aware that their website is being hosted, quite possibly insecurely, alongside dozens, if not hundreds or thousands of other websites.
If the shared hosting provider allows dynamic content via any form of scripting, and any single one of those websites hosted on the shared provider is insecure, it is possible that the entire web server and all websites on it could be compromised. It does not matter if the dynamic content is as simple as server-side includes or as complex as a PHP website with a MySQL database backend. If it allows an attacker to gain unauthorized access, especially to the file system, defacing the website and obtaining access to sensitive data is only a matter of time.
If your website is anything more than simple static pages, you may want to look into options such as VPS hosting, or even a dedicated server if your website has a considerably large amount of traffic. This may sound like a huge leap, but these options are very inexpensive anymore, and they afford you the ability to custom tailor everything to your needs. Many even come with management systems, such as cPanel.
2. Inspect Your Code
Speaking of dynamic content, mostly every website these days utilizes some form of Content Management System (CMS). Be it WordPress with a specialized theme, Joomla! or Drupal implementation with customizations, a specific downloadable and installable application such as a web forum software phpBB or vBulletin, or even a custom coded application using a modern and pluggable Model View Controller (MVC) type framework like Ruby on Rails or Django. This is almost the exclusive failing point for nearly all web-based hacks. Less than 5% of successful web attacks are against the actual services behind the web application (such as Apache or MySQL).
Almost every time a website is compromised, it is due to insecurities in the code running the web application itself. SQL injection vulnerabilities are the most common kind of attacks deployed against a website, and even though they have been around for over 14 years things seem aren't getting any better. This is not a fault of MySQL, PostgreSQL or any other database engine, but a failure to sanitize user input before it makes its way into a SQL query as explained in this short history lesson of SQL Injection.
There is unfortunately, however, not always an easy way to secure the code. Depending on what your web application is, there are various ways to secure it. Pre-built applications such as WordPress or vBulletin can be updated simply within their administration panels, but custom built apps in things like Ruby on Rails will require in-depth code auditing by developers. Regardless, this is the most critical component, because if the web application itself is not secure, it presents a wide open door for intrusion that no additional amount security can truly make up for.
3. Always Update Your Software
Not only does the code running the web application have to be secure, but so, too, do the systems that support it. When running an entire web application server, such as a LAMP stack – LAMP being an acronym for Linux, Apache, MySQL, PHP – there are many, many components that require constant auditing and updates as well, starting with the components of the acronym itself. PHP and MySQL have been known to have quite a few CVEs (or Common Vulnerabilities and Exposures), and a basic Linux web server installation is itself an amalgamation of hundreds to thousands of different software packages. Each and every one of these could potentially play a critical role in letting an attacker gain unauthorized access to a system.
Even though less than 5% of successful web attacks target the services behind the web application itself, this still presents a massive vulnerability when discovered. The incredibly infamous SSL/TLS attacks – HEARTBLEED , POODLE , and others – were not against WordPress or Ruby on Rails-based websites, but against the OpenSSL software used by almost every single web server that supports HTTPS traffic. However, things like this are easy to correct once the bugs have been patched. Depending on what operating system you are running, you can update your services simply by running a command: apt-get upgrade for Debian-based servers, yum update for RHEL-based ones, and so forth.
4. Implement Firewalls and Security Software
Up-to-date software is of course important, but even if tuned well and configured strongly, unless it is secured against vulnerabilities and known exploits (such as brute force attacks) it still is possibly an exploitable entry point. Firewalls can play a key role here, restricting or throttling network traffic, and every operating system comes with one (iptables in Linux, ipfw or pf in BSD variants, and so forth).
While a firewall is absolutely critical, it is not enough as it just protects a connection, i.e. it does not provide application level security. In such cases one should also look into an Intrusion Prevention System which can be a software or an appliance that is able to analyse the traffic and understand what it is all about. Therefore if a malicious user is trying to exploit a vulnerability on the web server, the IPS is able to determine the malicious request and drops the connection.
Prevention and Detection systems and other type of reactive software such as fail2ban are a far more effective approach especially when you want an open, but guarded door to your server such as SSH.
5. Utilize Deep Monitoring and Reporting
The firewalls and security software are only useful when they work as designed. But what if an attacker's methods change in such a way the security software is not yet configured to detect and prevent, as it happens from time to time? An administrator may want to design a website to be as close to a set-it-and-forget-it kind of thing as possible, but unfortunately that is not the case, especially as a website grows more complex (such as having accounts management systems, user submitted content, shopping carts, or other areas requiring high security). Even more importantly, without proper monitoring, an administrator may not be aware his website is offline until someone reports it to him days later.
Log monitoring software such as OSSEC and uptime reporting utilities such as Icinga provide great insight into a web application's live activity. However, for best results, such monitoring and reporting services should be hosted elsewhere, not on the same server as the website being monitored. Otherwise, if the server the website is on goes down, so, too, will the reporting service that would alert you to such downtime.
6. Scan for Vulnerabilities
Of course, no amount of tuning, configuration, security software, code auditing, and more can perfectly secure a web application. With every additional complexity, it is possible something can simply be overlooked by accident. It is only natural, and human. That is where inhuman technology comes into play: web application security scanners.
Utilizing an effective web application security scanner, an administrator can deeply scour every nook and cranny of their web application in ways they may not have previously thought of. Does your website utilize brand new HTML5 technology? Perhaps you are not yet aware of exclusive to HTML5 such as DOM based XSS, but Netsparker is. Running other web services beyond just a website? Got it covered. All these things and more are areas an automated security scanner is designed to alert you to so you can learn what potential problems exist and how to fix them.
7. Never Stop Learning
We saved the best and most important tip for last: never stop learning about how to further secure your web application, servers, and more. The world of information security is constantly evolving and changing literally every day. Sometimes, serious vulnerabilities even pop up out of nowhere with no prior warning, known as a 0-day attack. There are several resources available online which you can refer to, or follow to keep yourself informed such as Netsparker's web application security blog. A good administrator is one that is prepared for the constant battle of keeping their system secure, and by applying these 7 steps, you, too, can be better prepared.