Top 10 website security myths by qtp78691


									                                                                                            W A T S O N    H A L L

       Top 10 website security myths                                                                  Watson Hall Ltd
                                                                                              27-31 Clerkenwell Close
       and what to do about them                                                                    London EC1R 0AT

                                                                                             Telephone 020 7183 3710
                                                                                                    Fax 020 7043 9784
              There are many myths relating to website and web application security.
              Here are the ones we think are worth highlighting.

              Terms of use
              This top 10 list is provided free of charge and without any warranty. Use
              of this top 10 list is subject to the terms of use displayed on our website

              Each top 10 list may need to be amended for the particular website
              project’s requirements, functionality and environment.

              You may want to review all our top 10 website security lists at
     The latest links to
              details of information security related legislation, codes of practice,
              organisations, initiative and standards can be found on the Watson Hall
              website at

              1         The developers will deal with security

              Not unless you ask them to, and then have this accredited. Make sure you
              define in your specifications and contracts what is required. All software
              has flaws, many of which will never be found, and utilising coding
              practices for secure development, building security into the whole
              development lifecycle and undertaking security testing will help. But a
              significant number of vulnerabilities do not reside in the code alone.
              They may be caused by forgotten files, differences in system
              configuration, the hosting environment, interaction with other systems or
              business logic flaws. Train your developers and give them time to do the
              work correctly.

              2         Nobody’s interested in hacking our website

              Criminals and hackers work together to obtain confidential data from your
              company or organisation, to steal identity information from your website
              users, to damage your reputation or simply to use your website to
              distribute malware to your users. Criminals use automated tools to attack
              websites – just registering a new domain name will mean it gets scanned
              for vulnerabilities and potentially targeted. An organisation’s own staff
              often have greater access permissions to the website and disgruntled,                                                                                                 1
Top 10                                                                                              Website security myths

                     malicious or staff who have recently been made redundant are more
                     interested in your website than someone else’s.

                     3         The website uses SSL so is secure

                     The term ‘secure website’ is often used for the parts of a website where
                     the data transmitted between a user and the server is encrypted with a
                     valid, current and trusted secure sockets layer (SSL) certificate on the
                     server. SSL only means the data in transit is encrypted – it does not
                     actually secure a website, its data, the server or its users. The data at
                     either end (the user’s browser and the server) are decrypted. It is
                     certainly the case that SSL with a strong cipher should be used for
                     transfer of private and sensitive data, but that’s just one small part of
                     website security. Poor configuration could allow weak ciphers to be used

                     4         We don’t use Microsoft software so are safe

                     Websites hosted on other operating systems (e.g. Unix-like) still need to
                     have patches and updates regularly applied. Many of the most popular
                     content management systems (CMS) are hosted on operating systems
                     other than Windows, and are therefore a popular target for attackers due
                     to the large number of potential websites which could be targeted. Also,
                     many security exploits (e.g. phishing, weak registration/login systems,
                     cross-site scripting (XSS), business logic flaws) are completely
                     independent of the operating system.

                     5         We use a firewall so the website is protected

                     Firewalls in front of a web server limit traffic to that server. But the web
                     server will need to see web requests, so these cannot be filtered. Web
                     application firewalls can assist in protecting known vulnerabilities and
                     unusual traffic but cannot usually provide protection against business
                     logic vulnerabilities, custom code vulnerabilities, valid use that corrupts
                     data and zero day (new) attacks. They can be of use in temporarily
                     filtering traffic when a vulnerability is discovered, but need to be thought
                     of as a temporary fix rather than a permanent repair. Your internal
                     employee’s access to the website may not even pass through the same
                     firewall, or have different rules, and you may be using internal data feeds
                     which are not screened.                                                                                                     2
Top 10                                                                                             Website security myths

                     6         We’ve got a backup, no worries

                     Backups are not a protective mechanism – they are an assistance to
                     recovery. Recent backups are a necessary part of operating websites, but
                     they won’t necessarily contain all the transactions that occurred up to the
                     point of an incident. But if your data has been altered maliciously (data
                     poisoning), the backup may well also contain this, so you may still need
                     manual processes to sort it out.

                     7         Our data is encrypted

                     There are tools available to criminals to try to decode encrypted data –
                     their success can depend upon the algorithm used and how the keys are
                     secured. Data may be encrypted in transit (e.g. SSL – see No 3 above) but
                     some data may also encrypted when it is stored. But the algorithms must
                     be known strong ones, not known weak ones or custom-developed. The
                     keys used to do this encryption must be stored securely, not hard-coded
                     into systems and transmitted securely. Encrypted data will exist in clear-
                     text (unencrypted) on the user’s browser and at any other place where
                     the data needs to be human-readable (such as printed copies or logs).

                     8         All you need is an annual penetration test

                     A penetration test using a vulnerability scanner tool will not be able to
                     discover all the vulnerabilities in your website.           In particular
                     vulnerabilities in any custom-developed code and business logic
                     vulnerabilities are unlikely to be found by automated tools. Your hosting
                     environment and website code are likely to change over a much shorter
                     time span than a year, and therefore a combination of automated testing
                     and expert analysis need to be undertaken on a semi-continuous basis.
                     Best practice is to undertake automated testing weekly and have logging
                     and alerting functions which highlight changes to files and potential
                     intrusions on a live basis.

                     9         Our user’s have fully patched desktops

                     Even if your users are employees who use workstations (personal
                     computers) that are automatically patched and have up-to-date ant-virus
                     and anti-spyware systems installed you cannot assume their systems
                     cannot be compromised to attack your website. There is always a delay
                     between a vulnerability or malware being discovered and when patches
                     are developed, tested and distributed. You may also have remote users
                     who log onto your network and their systems may not be as up-to-date.                                                                                                    3
Top 10                                                                                             Website security myths

                     Security policies may ban or control the attaching of personal devices
                     (PDAs, mobile phones, cameras) and storage devices (memory sticks, MP3
                     players, cameras) to your network or opening untested media (DVDs, CD-
                     ROMs) but all these can compromise your ‘trusted’ user’s desktops.

                     10        We have a service level agreement (SLA) with
                               our hosting company

                     Contracts with hosting providers usually define certain minimum levels of
                     uptime, but check how these are calculated, what you are responsible for
                     and what the exclusions are – you may be surprised that loss of power or
                     internet connectivity by the hoster may mean no come back. Poor
                     performance may be due to the website, not the server or the network.
                     Organisations may not have considered what would happen if their
                     website (public website, extranet or intranet) were unavailable for a
                     period other than a few minutes. But unless you are certain the business
                     can survive without a website for up to a few weeks, it is absolutely vital
                     to have plans in place (disaster recovery and business continuity) to deal
                     with the loss of, or access to the website. Do you have backups and
                     procedures for everything required to set up the complete website
                     somewhere else, is there some standby facility available, who will deal
                     with email, telephone and fax enquiries generated because the website is
                     not available? Not your hosting company, you.

                     Why Watson Hall?
                     Watson Hall helps United Kingdom organisations design, develop,
                     implement and operate websites and web applications securely, by
                     undertaking threat modelling, vulnerability assessments, developing
                     information security management programmes, providing advice on
                     development best practice and performing security testing.

                     To discuss any security matters in confidence and without obligation,
                     telephone us on 020 7183 3710 or use the enquiry form on our website at

To top