10 ways to tighten your company’s web assets
- select the contributor at the end of the page -
We’ve all seen the headlines and we know how bad it can be when things go wrong with security on websites. With that in mind, here are 10 practical things you can do to make a real-world difference to your security posture.
1. Run a security scan on your site
You can let the machines do the hard work by simply using a tool like NetSparker to scan your site. You plug in a URL, and the tool finds numerous vulnerabilities that can be externally identified. If you don’t want to pay for a commercial tool, then you can always grab something like OWASP’s ZAP which, while not as full featured, will still find a bunch of things -- and bonus: it’s free.
2. Check how your passwords are stored
If you’re handling credentials, you’ve got to do it right. Plain text is no good and encryption isn’t much better (private keys are often obtained by attackers in a breach). Hashing is the right start, but the right hashing is important too, and even salted hashes can be weak against today’s sophisticated attacks (Ashley Madison implemented theirs very poorly). Check out the OWASP Password Storage Cheat Sheet and get yourself a good adaptive hashing algorithm with a high workload.
3. Ensure you’re not leaking customer data
Here’s one that catches many people: most systems with account management facilities (i.e. people can sign up to a website) leak information about their customers. For example, the password reset feature often tells you whether the email address you’re trying to reset the password for exists or not. Check out my Pluralsight course on Secure Account Management Fundamentals for how to avoid this pitfall.
4. Turn off all unused services
Default configurations on Web servers is a classic problem. Frequently, the “out of the box” installation is deployed and all sorts of unnecessary things are running on the box. For example, you may not need FTP if you’re only deploying using Microsoft’s Web Deploy, so turn off anything that isn’t absolutely essential.
5. Check your deployment credentials
While I’m talking about FTP, you don’t have it wide open with anonymous access to anyone with an Internet connection, right? Check it, because there are thousands of sites out there that are easily discoverable via simple Google searches which have absolutely zero protection against anyone logging in and reading or modifying files.
6. Verify your data sovereignty
One very impactful lesson we’ve just learned courtesy of the Patreon breach is that it’s critical to ensure that production data stays in the right place and that’s the production environment! So many times I’ve seen real customer data make its way into test or development environments which aren’t subject to the same rigorous controls as production. If developers need data to test with, generate it with a tool like Red Gate’s SQL Data Generator; never take real customer data.
7. Audit developer rights
It might sound laborious, but a quick check of just how much access developers have can yield surprising results. Do they have the ability to deploy to live environments? Do they have access to credentials used to access live environments, such as database connection strings? In some cases they’ll need to but very often access has been granted “for convenience” as opposed to “as a necessity.”
8. Review your secure coding standards
You do have these, right? Just in case you don’t, start with the OWASP Top 10 as a minimum set of security risks, for which there should be corresponding coding standards for your programming language of choice. Then, also check out their Secure Coding Practices Guide as well. If you do already have standards, see how well they align to today’s risks and new defences, particularly things like browser security headers. Speaking of which…
9. Harden your sites
Security is all about degrees – finding the right level of protection for the right amount of effort. Fortunately, things keep evolving and we get better and better defences to protect our valuable Web things, sometimes with very little effort required to implement them. Take the opportunity to harden your website defences with practices like browser security headers which add additional defences beyond the traditional ones. Risks evolve, so should your defences!
10. Train your developers
This is just a little bit of a self-interest, given the nature of the courses I write, but training your developers is the best bang for your security buck you’ll ever get. The cost of rectifying bugs early in the development cycle (or never having them at all!) is sufficiently less than during the later phases of building software -- and it’s way cheaper than dealing with a breach! The first step in making sure your security is right is by properly training the people building the software.
Learn more about how to keep your company secure. Tune into my recent webinar.