Six ways to improve the security of your website and web applications
Business websites and applications need to be as accessible yet robust as possible, but this presents a huge range of security challenges, find out what you need to protect them.
In 2019, more businesses than ever before are offering online services. This is due to the fact that customer needs have changed and there is a greater demand for access to information and services around the clock.
While this is certainly good news for customers, an unwanted impact for businesses is that these services are frequently targeted by cyber criminals. Businesses in the financial sector are a common target but any organization that offers online services can be vulnerable.
Business websites and applications need to be as accessible yet robust as possible, but this presents a huge range of security challenges. For instance, recent research has revealed that almost half of all web applications are vulnerable to unauthorised access – while 44 per cent place users at risk of personal data theft.
To help improve your organizations’ online security, here are six ways to protect your business’ website and web applications.
1. Use a web application firewall
A web application firewall (WAF) analyses both HTTP and HTTPS web traffic in order to identify attacks. When the firewall notices malicious activity, such as a someone attempting to exploit a known vulnerability, it blocks the connection.
A WAF is very useful but does not leave you completely protected. For example, the firewall can only defend against attacks that have known signatures. WAFS offers no defense against new types of threats, nor can it fix any identified vulnerabilities.
2. Perform regular network vulnerability scanning
To uncover cyber security risks that exist across your website and web applications, it is important to take proactive steps to uncover vulnerabilities. One of the best ways to do this is to perform network vulnerability scanning on a regular basis. This form of assessment relies on the use of automated software tools and can help to uncover issues such insecure server and network configurations, open ports, unpatched systems and use of weak user credentials.
3. Commission penetration testing
As an automated form of assessment, network vulnerability scanning can only go so far, which is why it’s important to take additional steps to identify and address hidden exposures. Web application testing is performed by an experienced ethical hacker and can discover potential flaws in your systems that could be exploited. Penetration testing utilises a range of manual testing techniques to identify, safely exploit and remediate vulnerabilities such as SQL injection, cross-site scripting and authentication problems. Web app testing can also help to identify the presence of rogue applications and plug-ins, such as the type that led to recent breaches at Ticketmaster and British Airways.
4. Manage user permissions and privileges
In the event of a breach, limiting the amount of damage that a hacker could inflict by ensuring that users only have the minimum rights necessary to perform their role is another important way to improve the security of your website and web applications.
Failing to take this sort of action could result in your business experience something similar to Ticketfly – an event ticketing site that suffered the loss of data relating to 26 million customers. During the breach a hacker was able to gain access to the webmaster’s account, which provided all the privileges and access needed to steal the data.
It is a good idea to manage user permissions and privileges very carefully, perhaps splitting them up across a variety of different accounts. The key here is finding a balance between security and the ability of administrators to do their job effectively.
5. Segregate your networks and data
As well as managing privileges, you can take steps to mitigate attacks by segregating systems across multiple isolated networks and databases. This can help to limit the scope of attacks by slowing down hacker progress and ensuring that if a database, for example, is compromised, attackers aren’t able to access a complete set of data.
Segregation of cardholder data is an important requirement of the Payment Card Industries’ Data Security Standard (PC DSS).
6. Monitor web servers and logs
Finally, it is a good idea to regularly monitor web servers and relevant log files in order to identify suspicious behavior such as unauthorized connections and policy violations. This is a task that be performed manually by an administrator or automatically through the use of network monitoring technologies such as SIEM. Identifying attacks early means you’ll be able to respond to them before they cause widespread damage and disruption.