The ramifications for companies are clear: Loss of data, loss of consumer confidence and loss of brand integrity. No company can afford the black mark of a website hack. With many states mandating full disclosure, and the federal government close behind with its own efforts, the luxury of keeping these incidents behind closed doors has passed. Organizations must develop a strategy for complete website vulnerability management.
How can companies prevent these attacks? The first step is to understand the fundamentals. This white paper will examine ten vital website security issues that affect software developers and information security professionals. Grasping these points will enable companies to understand the scope of the problem, and establish realistic approaches for vulnerability management and securing their websites. Consider these ten points a springboard for further exploration of website security so that your organization and customers can avoid being victimized.
Ten Things You Should Know about Website Security
1. The Network Perimeter is VanishingCompanies can no longer tout a locked down perimeter as the ultimate defense. Hundreds of millions of people worldwide use the Internet to bank, shop, purchase goods and services, and perform research. With each transaction, private information, including names, addresses, phone numbers, credit/debit card numbers, and passwords, is routinely transferred and stored in a variety of locations. To enable this flow of information, organizations must open up their firewalls, the very devices once thought to offer impenetrable protection. Billions of dollars and millions of personal identities and private information are exposed to hackers who find their way in through security vulnerabilities in custom Web applications.
From a security perspective, firewalls and SSL offer little protection. Web traffic often contains attacks such as Cross-Site Scripting (XSS) and SQL Injection that enter through Port 80 and are not blocked by the firewall. Contrary to a popular market misconception, SSL is not capable of securing a website, but instead is tasked with safeguarding data in transit. Once data is on the Web server, it can be compromised whether or not SSL is in use.
Website security is a specialized practice that focuses solely on the custom Web applications that sit on corporate Web servers. Network scanning covers packaged, off-the-shelf applications. Applications developed in-house (the vast majority of websites) need custom security to fend off the attacks that bypass the network perimeter.
2. Over 80% of Websites have Security VulnerabilitiesConsider the fact that 8 out of 10 websites visited each day have a serious security vulnerability that puts corporate and customer data at risk. Add to that the irreparable harm done to a company whose brand is compromised by a publicized attack. It’s a call to action for any company doing any of its business on the Web.
WhiteHat Security, through its unique vulnerability management service, assesses the security of some of the largest and most visible websites in the e-commerce, financial services, and healthcare industries. Based on the aggregate data of thousands of website assessments, we‘ve determined that over 80% of websites have vulnerabilities. These vulnerabilities enable a hacker to access customer account data, execute administrative level functions, defraud the business, or halt operations, all serious business impacts.
Website vulnerabilities fall into twenty-four classes, as determined by the Web Application Security Consortium (WASC). Within those classes, there are vulnerabilities from the common, like SQL Injection and Cross-Site Scripting, to the obscure, like Abuse of Functionality and Insufficient Process Validation. The most important thing to remember here is that when you’re talking about custom Web application vulnerabilities, they will be unique to your website. And, it takes a joint effort between the development and security teams to identify and resolve issues.
Download Whitepaper ›››