Website Security Advanced Evaluation

Posted on July 12, 2017 at 9:50 pm

2 Comments

Internet has revolutionized the world primarily due to World Wide Web (www). Currently, there are more than 1 Billion websites on the web. That number is growing with each passing day, as more of the world gets connected and technology makes it easier for people to have a voice and online presence through websites. Websites are the way we shop, work, pay our tax bill and run our businesses.

Initially, websites was functionality focused and much of attention was paid to designing, user interfaces, user experiences and functionality of the web.
Over the period of time, websites became an easy target for hackers due to easy accessibility and little to no security features implementation. Prevalent, threats to websites are related to online privacy, security and transactions. Website security encompasses more than the information in transit between your server and visitors to your website. Enterprises need to take utmost care of their websites as part of an entire ecosystem that needs constant care and attention, if they want to retain people’s trust and confidence.

Web sites will be at stake as ecommerce becomes increasingly common in our daily lives. From ordering groceries to booking holidays, we are doing more and more online. In fact, Ecommerce Europe reports that global business-to consumer ecommerce turnover grew by 24 percent to reach $1,943 billion in 2014 and business-to-business ecommerce is expected to be worth $6.7 trillion by 2020. Website security has never been more important or relevant. The consequences of failing to reinforce website security are likely to extend beyond the costs to an individual company, it will not only damage the consumer confidence but also the company’s repute and financial losses will be huge.

Websites are vulnerable to attacks leading to malware and data breaches. Websites are road to much sophisticated attacks as these are a way into a company’s network, these are a way into company’s data repositories and these are a way to reach company’s customers and partners.

Website Vulnerabilities Trends in 2015-2016

Websites succumb to following vulnerabilities and attacks as per statistics and research conducted in 2015 and 2016.

Arbitrary Code Execution

Arbitrary code execution is used to describe an attacker's ability to execute any command of the attacker's choice on a target machine or in a target process.

Remote Code Execution

Remote code execution is the ability an attacker has to access someone else's computing device and make changes, no matter where the device is geographically located.

SQL Injection

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Directory Traversal

Directory traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory. Web servers provide two main levels of security mechanisms. Access Control Lists (ACLs) Root directory.

XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Weak Passwords

A password that is easy to detect both by humans and by computer. People often use obvious passwords such as the names of their children or their house number in order not to forget them. However the simpler the password, the easier to detect.

Source Script Disclosure

Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users, formulate attacks against the application.

Server Side Scripting

Server-side scripting is a technique used in web development which involves employing scripts on a web server which produce a response customized for each user's (client's) request to the website. The alternative is for the web server itself to deliver a static web page.

Over Flow

In a computer, the condition that occurs when a calculation produces a result that is greater in magnitude than that which a given register or storage location can store or represent.

Website Penetration Testing

Website security testing is an intricate phenomenon which not only involves network security related aspects to be considered for evaluating a web but also web specific aspects to be considered.

What Should Be Tested?

An organization should conduct a risk assessment before the penetration test, which will identify the main threats to the network, including the following:

  • Communications failure, e-commerce failure, and loss of confidential information.
  • Public systems i.e. web sites, e-mail gateways, and remote-access platforms.
  • Mail, DNS, firewalls, passwords, FTP, IIS, and Web servers.
  • Important production systems.
  • Systems belonging to important as well as regular customers.

Testing should be performed on all hardware and software components of the network security system.

What Makes a Good Penetration Test?

The following activities will ensure a good penetration test:

  • Establishing the parameters for the penetration test, such as objectives, limitations, and justifications of the procedures.
  • Hiring highly skilled and experienced professionals.
  • Appointing a legal penetration tester who follows the rules in the nondisclosure agreement.
  • Choosing a suitable set of tests that balances costs and benefits.
  • Following a methodology with proper planning and documentation.
  • Documenting the results carefully and making them comprehensible for the client. The penetration tester must be available to answer any queries whenever there is a need.
  • Clearly stating findings and recommendations in the final report.

Penetration Testing Process

The process for performing a penetration test in an organization must be determined before testing the networking devices and system vulnerabilities. The penetration testing process includes the following sub-processes:

Website Security Evaluation Methodology

Website security evaluation process should be done in a standard, systematic and strategic manner. A methodology ensures that the process is a standard manner with documented and repeatable results for a given security posture. There are various methodologies and industry best practices for testing websites but the most notable one is OWASP (Open Web Application Security Project).

Penetration testing is performed to ascertain security posture of a website. A penetration test involves the systematic analysis of all the security measures in place. Penetration tester should check for following aspects to ascertain website security:

  • Network surveying.
  • Port scanning.
  • System identification.
  • Services identification.
  • Vulnerability research and verification.
  • Application testing and code review.
  • Web application firewall testing.
  • Testing as per OWASP.
  • Testing of security controls employed.
  • Trusted-systems testing.
  • Password cracking.
  • Denial-of-service testing.
  • Access-controls testing.

Recommendation and Guidelines for Secure Website

Following is recommended for a website to be secure:

  • Employ defense-in-depth strategies.
  • Monitor for network incursion attempts, vulnerabilities, and brand abuse.
  • Employ malware detection mechanism.
  • Secure websites against attacks and malware infection.
  • Protect private keys.
  • Use encryption protect sensitive data.
  • Be aggressive in updating and patching.
  • Enforce an effective password policy.
  • Ensure regular backups are available.
  • Restrict email attachments.
  • Ensure infection and incident response procedures are in place.
  • Get in line with industry standards and best practices.
  • Use and configure SSL/TLS correctly.

Makis Mourelatos

WordPress Security Engineer at FixMyWP
WC Athens 2016 co-organizer, WP Support and Security Aficionado, Wannabe Kitesurfer.

Comments (2)

  1. Bronwyn Reply

    July 14, 2017 at 1:46 am

    Great article. I think most small businesses have no idea how serious website security can be.

Leave a Reply

Your email address will not be published. Required fields are marked *