In the second week of our journey through the main causes of websites’ vulnerabilities we want to draw your attention to website’s’ security best practices.
The best way to ensure the security of an application is including security practices within the developing process. In this case the security practices imply developing any website/application with security aspect in mind. We already saw, last week, that insecure coding, mainly focus on functioning, generate a wide range of vulnerabilities.
However, as many of you have already obtained a full developed website/application, this week our attention shall be on the security practices within a functioning application and how the lack of their implementation weakens the security’s level.
We will talk about some simple, one step practices, as well as practices that include a strategy’s elaboration. Among first category we may found:
1. HTTPS implementation (at the beginning of a website’s URL should appear https://)
HTTPS is an encryption method to secure the communication between a browser and a web server. Having as main objective the protection of data in transit, HTTPS was initially used for websites with sensitive data.
Nowadays, HTTPS has become a standard on internet. Encrypting the data in transit in both directions (going to web server and coming from web server), HTTPS protocol brings benefits to both users and owners of websites:
- for users HTTPS is a good indicator that they are on the proper web server and that no third element can interfere/alter with their content/information. Thus, HTTPS is effective in preventing the man-in-the-middle attacks – you can read more about this type of attacks here
- for owners HTTPS protocol increase the Google rankings. As Google already confirmed, the ranking algorithms favours the websites with HTTPS protocol because they grant a more secure internet experience for the users. A website without HTTPS protocol shall be marked by Google as not secure.
Therefore, the implementation of the HTTPS protocol is mandatory for any website.
2. Proper SSL certificate
In this point you need to understand the difference between HTTPS protocol and SSL certificate.
A SSL certificate is a digital certificate purchased and installed on a server which encrypts the data communicated between the user’s browser and the website’s server. The SSL certificate enables the HTTPS protocol and the secure communication between the browser and web server. Therefore, the SSL certificate and HTTPS protocol are interconnected.
In addition to encryption, a proper SSL certificate will verify and confirm the authenticity of the entity requiring it.
In case of a man-in-the-middle attack, a third party pretends to be your website so it can trick the customers and steal their personal information. The SSL certificates from trusted providers shall prevent the man-in-the-middle attacks because the identity of the entity requiring the SSL certificate is tested and verified by the provider. Also, when choosing SSL certificates, keep in mind that some of them imply more identity checks than others.
Considering the essential role of a proper SSL certificate (issued by a trusted provider) in preventing the man-in-the-middle attack, additional attention should be paid to avoid any miss-issued, fake, expired, self made SSL certificates.
When it comes to cookies, everyone know that they are responsible for our very personalized experience on internet. Cookies are just text files which store information about an user’s activity on the websites (searches, login data, etc) and track the interaction between the browser and the web server. As demands in online advertising have become higher and higher, new cookies, with a bigger capacity to store a wide range of information, have been emerged.
Cookies present vulnerabilities precisely because they are just plain text with information which can be change or rewritten. You may think that cookies marked as “secure” (because they are sent over HTTPS protocol) are safe from man-in-the-middle attacks. But, the HTTPS protocol ensure only their confidentiality, not their integrity. Therefore, even secure cookies may still be change/written.
Several types of threats are related to cookies: an attacker may impersonate legitimate websites to stole cookies from the users, the attacker may also stole insecure cookies to impersonate users and may forge the information and impersonate other users.
However, in the context of an internet more and more dangerous and complex, you need to be organized, informed and built a clear strategy to ensure an effective and sustainable protection of your website. If you want to know what a cybersecurity strategy means, you can easily find out here.
Therefore, the above-mentioned practices should be basic steps, part of a strategy that implies:
- performing a vulnerability assessment – MANDATORY! we cannot stress enough the importance of a vulnerability assessment for a coherent strategy. At this stage you will identify all the sensitive data that you manage and the factors that may have an impact on your website’s security;
- ranking the identified risks. The vulnerability assessment shall assign a risk ranking to the vulnerabilities. In this manner you will be able to make a plan and to start fixing the most severe vulnerabilities. So, your energy and budget shall not be divided between vulnerabilities which are not urgent or severe (vulnerabilities shall always exist but that does not mean that they are all of the utmost importance);
- performing from time to time penetration tests which shall offer you an overview of the current status of your website’s security and of the threats’ evolution (e.g. if their severity has increased). For a proper result, you may want to choose a combination between automatic and manual detection, this being the most comprehensive solution to gain visibility over your vulnerabilities.
Besides the above, you should not forget about some simple and effective measures such as constant update of your software (the updates usually come with security improvements), change your passwords and try to create strong and unique ones, always create backups (of files, plugins, themes, databases) and use firewalls.
Have a look on our first article from the series about coding flaws.