TrainACE Learning Blog

Subscribe to our Blog

Recent Posts

Posts by Topic

see all

Website Security Best Practices

Posted by Christian Crank on Jun 17, 2014 8:17:55 AM

As corporations get larger and need to expand their marketing efforts, many organizations look towards the Internet. With millions of people online all at one time, it seems like the marketing capability is endless. But with the internet, things can get real messy, real fast. Malicious “hackers and crackers” are out there, looking for weak security holes and infrastructures to steal information from or to take over. Of course, this has gotten harder to do over the years, but there are still many that try.

As active participants in online marketing, corporations are especially vulnerable to digital attacks. Thankfully, there are a collection of good security practices for web developers and corporations to use to heighten their security. Knowing what needs to be protected and how to do it makes life a bit easier when starting and/or running a website. Having knowledge on topics such as guarding against malicious input, knowing your users, accessing certain databases and securing cookies is vital to putting good security practices to work. Making sure a team member has this expertise will allow any security issues to be dealt with quickly. Otherwise, you’ll need to address these simple fixes first to improve your infrastructure.

Are your servers up to date? If not, that would be the best start. Check if the system you are using, be it Windows or Linux, is up to date. If not, ensure that you download and install the latest security patches for your operating system. You should also keep web server software up to date and make sure that all security patches are installed. Set up a secure access list for your server to only allow ports you need, such as 80, 443 and 22 (HTTP, HTTPS/SSL and SSH). This will block any other ports from being used to exploit the server or allow information out. Having SSH open to remotely log in is smart to copy files to your server. FTP and Telnet transmit passwords in cleartext so an attacker could pull passwords out of network traffic. Having SSH set up though puts you at risk for brute force attacks. To ensure it is extremely difficult for an attacker to get in, set up a difficult password using upper and lowercase alpha (A-Za-z), numbers (0-9) and special characters (!@#$%^&*). Make it a longer password and make sure it is not a dictionary word. An example of a good password would be H3tt09&&rr.

Protect your network. It’s a big thing. Network security ensures files and information that does not need to get out, stays in. Set the services that users need to access on the internet. Put all other services that users don’t need access to on a private network that does not connect to the internet. If this is impossible in your situation, you can use strong firewall rules to block all access from any computer other than your web server, but the first suggestion is the safer bet.

Protect your web applications.  First, note that applications and coding always has bugs—it will never be 100 percent safe. But you can make your security super strong. Always secure web applications by hashing passwords and comparing hashes to stored hashes on the server. Using cookies to identify certain users with unique signatures for users with login information stored in said cookies. If you only store a username in a cookie, an attacker can easily guess or forge the cookie for authentication. Scrub your SQL databases and make sure there are no vulnerable SQL injection vulnerabilities.

Plenty of web based attacks like SQL Injection or Cross-Site-Scripting can be easily deterred by whitelists only allowing users to enter certain information in forms. With network security become a huge part of the world now, it is better to be safe than sorry when coming to website and web application security.

Topics: cyber, cyber security, Uncategorized, web, web application security, web security, webpage