Web security for the small-to-medium sized enterprise

There is no doubt that all of us have heard about the security breaches of numerous Fortune 500 companies.  From credit card information hijacks to content defilement, there is no shortage of news reports detailing the exploits of uber-hackers or hacker groups.  The companies that were aggrieved were so, in part, due to their size.  The acclaim for a hacker penetrating Wal-Mart or Citibank will be far greater than that achieved by taking down Joe's Pool & Spa.  But the havoc wreaked on Joe's place is far more likely to put him out of business long before a corporate giant will fall.

So, what's a small business owner to do? A web presence is an absolutely essential marketing and sales tool and, by some estimates, almost 70% of security breaches happen via that same web presence.  Many Mom & Pop shops exist only in the ethereal and cannot just unplug.

First, lets clear up a few myths about web security.  

1. Any e-commerce vendor knows (or was later informed) that SSL is a requirement for their site.  The vendor believes, wrongly, that once the SSL certificate is procured, they are now the owner of a 'secure' website.  But what does an SSL certificate provide?  It tells any visitor to the site that the site is who it says it is.  In other words, the client has not been directed to a phishing site.  The other thing SSL provides is the guarantee that communication between the server and the client will be encrypted.  In the event that someone snags your communication en route, he/she will not be able to decipher what type of conversation you're having.  That's it! That's all SSL provides you.  It can't stop hackers, it only means that hackers can talk to your website with encryption.

2. I have a firewall on my web server -- that should save me.  To a large degree that is true.  There are 65535 ports available on your server to use in TCP/IP communication.  A firewall typically shuts most of these ports down so they cannot be used for nefarious purposes.  But, by design, they most often leave port 80 (web) and port 443 (SSL) open.   In fact, if they did not, client computers would be unable to connect to your site.  Again, there are obvious benefits to closing all the other ports but a firewall does not help secure your web application.

3. My IT guru ran a network vulnerability scanner and didn't identify any security problems.  Much like number 2, this is a good idea and will lower your attack profile some but it doesn't eliminate you as a target.  The scanners work by sending packets of various configurations to your network and then analyzing the response by comparing to well-known security signatures.  The key here is 'well-known'.  You know you are now protected from 'well-known' security issues but you don't know what issues may have been introduced by the custom web application that is running under your company's logo.

4. My company runs annual vulnerability checks to ensure our security.  Really?  Annual?  Each day provides the internet community with roughly 10 new security vulnerabilities.  Annual checks are, therefore, relevant for about one day.

So, you say, how do I secure my site?  

1. Perform security reviews every time a single line of code is updated in you web application.  Use automated tools but also include some manual checks.  SQL injection and cross-site scripting vulnerabilities are still very prevalent.

2. By all means, use the scanners we talked about above.  But, use them in conjunction with manual testing to make sure all the bases have been covered.

3. Make sure your developers NEVER trusts client-side input.  It is the number 1 cause of web application security breaches.  With well crafted input, a user can gain root access to your server as well as administrator rights on your database.

Its a jungle out there and the predators have moved on from the big game of Fortune 500 companies to the small and medium sized enterprise.  Keep your website safe and keep your company in the green.