Playing it safe: security issues on the web and how to safeguard against them

Web security is often overlooked in web development – not because nobody finds it important, but because it’s a complicated topic. There are so many risks when it comes to web security that it’s difficult to know if you’ve covered all your bases. Practicing efficient security requires a good understanding of risk management principles, and effective strategies to safeguard against these risks.
Additionally, with the web changing as rapidly as it does, so do opportunities for hackers to attack. Programs and applications are constantly rolling out updates, most often to take care of new vulnerabilities with security patches.
Since it’s impossible to build a secure web application without knowing your risks, let’s discuss those first.

Most Common Security Threats

According to Cenzic’s Q3 & Q4 report of 2009, some of the most common security threats were SQL injection and cross-site scripting.

Cenzic’s Quarter 3 & 4 report of 2009 – Most Common Security Threats

The report groups together a variety of other threats in the dominating ‘miscellaneous’ section, of which buffer errors, permissions/access control, and code injection were the most prominent risks.

Cenzic’s Quarter 3 & 4 report of 2009 – Breakdown of the Miscellaneous Section for Most Common Security Threats

What exactly do these risks mean?

1. SQL/Code injection

With SQL or code injection, a hacker can access your database by sending a command over to your server, most often through form fields or the URI. A quick fix to avoid this hack is to sanitize your data, which we will discuss in more detail later. Essentially, if you are letting users pass any kind of characters through your form fields, they can potentially write a harmful script that would give them access to your database or allow them to manipulate information.

2. Buffer errors

If there are any holes or gaps in your code, exposing these types of errors to an attacker is a sure fire way to give them the information they need to hack into your data.How many times have you been to a website where you are trying to login or purchase an item, and just as you’ve completed the task – a new page refreshes with a bunch of garbled error code? This is one of the easiest ways for hackers to get an understanding of where your site is most vulnerable. If there are any holes or gaps in your code, exposing these types of errors to an attacker is a sure fire way to give them the information they need to hack into your data.

3. Cross-site scripting

Cross-site scripting is similar to our first example, and is when an attacker injects JavaScript into your document. Again, this is most easily done through form fields or when added as a parameter to the end of a URI. We all understand how powerful JavaScript can be, and this type of hack can allow attackers to manipulate your entire website.

4. Permissions, privileges and access control

When building a site with different levels of users and authentication, it’s important to ensure that passwords are secure and encrypted. Attackers can run a series of commands that will generate all possible password combinations. If any passwords are too simple, it makes it much easier for an attacker to gain authenticated access. With authenticated access, depending on the types of privileges that user has, an attacker can do all sorts of things to disrupt your site.

How can we reduce security risks?

1. Reduce vulnerable surface area using least privilege

The goal here is to contain the problem to the smallest amount. Understand what resources an attacker may be able to access if they get into your application. How are you reducing the potential damage? One way to accomplish this is by limiting actions to authorized users, and giving these users the bare minimum of privileges needed to perform their tasks.

2. Install updates

As frustrating as it may be to have to install so many updates – there are updates for a reason. Most often, browser and computer updates include new security patches to fix vulnerabilities that were recently discovered. Staying fresh on all of your applications and systems will help prevent future attacks.

3. Have multiple lines of defense

Always have multiple gatekeepers to gain access to any sensitive data. If a hacker is able to get passed one layer of defense, ensure that there are additional barriers in place that will prevent them from retrieving private data.

4. Validate user input as much as possible

We would all like to trust our users when they are filling out a form, or posting a comment on our site. However, it’s important that all of this information is validated before it is submitted to your site. This is often a hacker’s primary way to include malicious code into your site. Ensure you are validating for correct format and characters, and do not allow users to continue into an authenticated area if any of the data does not match.

5. Create user-friendly (not hacker-friendly) error messages

Often times, if there is a hiccup in an application, it may return some detailed information about the problem that includes sensitive data. This can gives hackers an inside look at your vulnerabilities and where it will be easiest to attack your site. Always create error pages to bring the user to in case of an application failure.

6. Only enable what’s necessary

If your site has features and functionality installed that are not being used – remove them. Store the code in a safe place off of your server if you need to implement it later, but with less features comes less room for attack.