The Blog

Web Security – A Mindset, Not a Process

Over the past several years, web application security has come to the forefront for software developers.  Where in the past, terms such as “SQL injection” and “cross-site scripting” where completely foreign, most professional web developers now have at least a basic understanding of what these vulnerabilities are and the risks that they pose.

In addition, education and tools have become more readily available, along with techniques and best practices for developers of web applications.

However, in spite of the resources available and knowledge gained, adopting web application security best practices is still a difficult process.  Here are a few reasons why:

  • It’s a moving target – the bad guys continue to invent new techniques and technology continues to advance, providing new ways to attack web applications.
  • Security increases costs – developer education, development & testing time, continuous testing, etc.
  • Specialized knowledge and experience in web application security is sparse and, ultimately left to the individual software developer.  Not many dev teams have dedicated security practitioners.
  • Adoption of web application security is a mindset and culture, and it requires attention at all levels of software design and development.
  • Smaller organizations don’t have the expertise or resources to address application security, or the ability to keep up with current trends.

With the list above, it may seem that the security challenge is insurmountable, particularly for resource constrained organizations.  However, all is not lost, and there are a number of basic but effective techniques that can be utilized to reduce the vulnerabilities that are exposing your data.  I would call this the “low hanging fruit” of web application security:

  • Discuss & plan internal application security processes and best practices
  • Review and remediate vulnerabilities for your server configuration
  • Use reduced privilege accounts for authentication and database connections
  • Adopt basic vulnerability testing
    – Numerous free, open source and commercial tools are available
    – Perform scanning on a recurring basis
    – Remediate severe application vulnerabilities
  • Scan your applications on a regular basis and remediate vulnerabilities

2017 – the year for HTTPS

The upcoming year is the year for making the web safer. It is now considered a best practice for ALL websites to be secure, not simply those that handle sensitive, personal information.

What does HTTPS mean? A website that is protected with an SSL (secure socket layer) certificate will display the “https” domain name prefix rather than “http”.

Implementing an SSL certificate must be a priority for several reasons:

  • It will go a long way towards protecting your site visitors, as well as your site platform and content.
  • Using HTTPS is now a requirement for many new browser features, such as geolocation and device orientation.
  • Effective January, 2017, Google is leading the way in flagging websites that don’t use the HTTPS protocol. For more information on Google’s approach, read this article.
  • Ignoring this best practice may negatively affect your site’s SEO.