Full width home advertisement

Welcome Home

Post Page Advertisement [Top]

 How To Tighten Your Company’s Web Assets

We've all seen the news, and we know how devastating it can be when things don't work out properly with website security. With that in mind, here are 10 practical things you can implement to make a real difference in your security position.

1. Run A Security Scan On Your Website

You can allow the machines to do the complicated job using a tool like NetSparker to scan your website. Connect a URL, and the tool finds many externally identifiable vulnerabilities. If you don't wish to pay for a premium tool, you can always use a platform like OWASP's ZAP, which will still find many things - and bonus: it, although not as complete, 's absolutely free.

2. See How Your Passwords Are Stored

If you manage credentials, you need to do it correctly. Plain text is not safe, and encryption is not much better (attackers in an infringement often retrieve private keys). Hashing is the right option, but the right hashing is also crucial, and even salty hashes can be weak against today's advanced attacks. Consult the OWASP trick sheet for storing passwords and get a good adaptive hash algorithm with a large workload.

3. Ensure You’re Not Exposing Customer Data

Here's one that affects many people: Most platforms with account management systems (i.e., where users can sign up to a website) reveal their customers' information. For instance, the password reset option often tells you whether the email address for which you are trying to reset your password exists or not. 

4. Turn Off All Dormant Services

Default configurations on internet servers are a typical problem. Often, the "out of the box" installation is implemented, and all kinds of irrelevant things run on the box. For example, you may not need FTP if you are only executing using Microsoft Web Deploy, so disable anything that is not absolutely important.

5. Check Your Deployment Credentials

While talking about FTP, you don't have it openly accessible with anonymous entrance to anyone with an Internet connection. Check it out because thousands of websites are easy to find with simple Google searches that have absolutely no protection against anyone who logs in, reads, or modifies files.

6. Validate Your Data Sovereignty

A critical lesson we learned from the Patreon violation courtesy is that it is essential to make sure that the production data stays in the right place and that it is the production environment! So many times, we have seen that actual customer data takes place in testing or development environments, which doesn’t go through the same tedious controls as production. When developers need to test data, create it with a SQL Data Generator tool from Red Gate; never use real customer data.

7. Audit Developer Privileges

It may seem laborious, but a quick check of how much access developers have can produce surprising results. Do they have the ability to move in living environments? Do they have access to credentials used to access live media, such as strings of database connections? In some scenarios, they will have to, but very often, access has been granted "for comfort," opposing “ necessity."

8. Review Your Secure Coding Standards

You have these, don't you? If you do not, start with OWASP Top 10 as a minimum set of security threats, for which there should be appropriate coding standards for the chosen programming language. Then see their Secure Encryption Practice Guide. If you have standards already, see how well they flow with today's threats and defenses, especially things like browser security headers. 

9. Fortify Your Sites

Security goes with degrees - finding the right protection level for the right effort. Fortunately, things continue to evolve, and we get better and better solutions to protect our valuable items on the web, sometimes with a  minimal effort needed to execute them. Grab the opportunity to strengthen your website's defense with methods such as browser security headers that add extra shields beyond traditional ones. Risks evolve, so should your measures!

10. Train Your Developers

Training your developers is the best safety measure you will ever execute. The cost of correcting errors at the beginning of the development is low enough than in the later stages of the software development - and much cheaper than tackling with a breach! The first step in ensuring your security is tight is properly training the people who build the software.

No comments:

Post a Comment

Bottom Ad [Post Page]