Steps to develop secure and trustworthy websites and web applications

submitted by Betha Aris CEH/CISA/CISSP, System Specialist

What role should the System Administrator and Developer play in the creation of more secure websites and web applications? Here is a step by step guide:

Securing the Web Server
Web server is one of the many public faces of an organization. Let’s take a look at some of the threats and solutions to secure the server:

• Operating System Hardening
  OS Hardening is a method to safeguard the Operating System from intrusions. It was developed due to the rise of computer hacking incidents. Before using, remove all non-essential tools and utilities so the security features of the system are activated and configured correctly.
• Protecting from Denial of Service Attack
  Denial of Service (DoS) attack is an attempt to make a computer resource unavailable to its intended users. The main types of DoS attack are Buffer Overflow, SYN Flood, Smurf Attack and Zombie attack. The ways to prevent this attack can be done by installing a good firewall to filter out potentially dangerous packets. Again, out-of-the-box System Administrator will likely be set up for ease of access to proactively search for damaging programs.

• Protecting the Server from Remote and Local Exploitation
  There are a bunch of gangsters: they want to control your network, they want to deliver your emails, they want to know who does what and they try to shut down everything. Open your eyes and keep up to date with Vulnerability Development news; also apply regular patch on the system.

Securing the Database
Database server is the foundation of virtually every electronic business, and the database hold sensitive financial data and must be guarded from competitors and unauthorized internal access. These are the actions you should also be taking to configure and operate a secure Database environment.

• Securing default user accounts
• Securing database access
• Audit data access
• Patch the database server from known and unknown vulnerability

Securing the Code
There are several ways hackers can manipulate the URL of a website to perform remote exploitation (SQL injection, XSS attack, RFI attack, Remote buffer overflow attack, etc). These are just some general tips about keeping your web-applications protected:

• Have your web code reviewed by a person to identify and correct vulnerabilities.
• Do not instantly trust open-source code. If you find a nice open-source CMS on the internet that you would like to integrate into your site, use common sense and audit the original code. You can search for various web exploits and then read through the code yourself.

Monitoring the System
In order to protect the network from intrusions, you can apply the following intrusion prevention: Apply host-based intrusion detection system or network intrusion detection system. These systems are highly configurable and feature detailed logging, analysis of attacks and security alerts. These two systems complement other forms of security systems and add another defense against the growing security threat faced by all organizations.

Vulnerability Assessment
There is a high amount of new vulnerabilities discovered on a daily basis and it is important to do regular network vulnerability scanning of all your systems to ensure that your configurations are correctly set and that you have the proper security patches applied.

• Regular Audit
  It is recommended to perform an IT audit procedure on a daily, weekly or monthly basis (depends on IT organizational policy) to ensure your computer is scanned for the latest threats and if at risk, you are immediately alerted.
• Keep the System Up to date
  Install and patch the system from trustworthy web sources as possible with the latest security updates.
• Vulnerability Scanning
  Vulnerability scanning can be used to conduct network reconnaissance, which is typically carried out by a remote attacker attempting to gain information from a network. You can use some various standard vulnerability scanners like Nessus Vulnerability Scanner that provides a view of your networks as seen by outsiders. It uses Nmap to scan for open ports and then attempts to determine what vulnerabilities may exist for the services it finds. It can then provide a detailed report that identifies the vulnerabilities and the critical issues that need to be corrected.

The Precision Group is a global business process outsourcing company with offices in Hong Kong, Isle of Man, Jakarta, London and Manila. It provides integrated middle and back-office support solutions, as well as creative and web services for the financial and professional services sector.
For more information, please visit our website at www.precision-group.biz

Outsourcing opportunities during recession

As written by Matthew Deayton, General Manager, Business Development

Outsourcing has become a key business tool for small and large companies across market sectors. But with the current economic downturn, have companies put a stop to outsourcing?
Based on our experience, the answer is a definite no. We are still grabbing business opportunities from the financial and professional services sector.

I recently attended a KPMG conference on outsourcing trend, and the advisory firm confirmed that the recession is opening new opportunities and focus on outsourcing, with companies seeking newer destinations to lower costs and get added benefits.

According to KPMG, the economic downturn’s impact on outsourcing varies by market. But it has emerged that demand for outsourcing from Asia Pacific is on the rise, creating large opportunity for local suppliers to develop their capabilities.

The focus of companies looking to outsource has also changed as economic outlook still looks gloomy. The World Bank expects the world economy to contract by 1.7% and global trade by 6.1% in 2009. While companies previously were willing to invest in outsourcing relationship more than longer term benefits, the recession has put the priorities on cost optimisation and sustainable innovation. In short, outsourcing has risen above just a mere cost cutting tool, to become more strategic to the overall business strategy.

In terms of outsourcing destinations, India is still popular but China is aggressively catching up, and other markets like the Philippines may get a second look.

The KPMG report said in aggregate, the majority of companies in Asia outsource to India at 55%, with China as the second most popular destination at 36%, Singapore at 20%, Hong Kong 16%, and the Philippines 7%.
KPMG said English is the main outsourcing language in India, but with its rapidly rising labour costs, English-speaking companies might give the Philippines, another English-speaking outsourcing destination, a second look.

The conference highlighted some of the key factors that make a location attractive to outsourcing, which included:

• Demographics – a large pool of well educated people available at a highly competitive cost
• Infrastructure – stable environment in which to operate, power, internet connectivity, access to the work place.
• Political Stability – giving confidence to potential clients that the operation is not going to be shut down due to political unrest.

There are other factors like rule of law, protection of intellectual property right, and track record. But the three factors stated above in bullet points were significant barriers for us to attract clients in Indonesia or the Philippines had we entered these markets several years back. Things have changed. Less of the well educated population are no longer attracted to go overseas as more opportunities open locally, the infrastructure has improved significantly, and the political stability is much more evident.

We are positioned in a perfect situation to be a key outsourcer of business processing, and we already have a core of well-experienced team in our specialised field of financial services. As China attracts more outsourcing to this side of Asia, all the region’s countries will benefit. In addition, having representative offices in Hong Kong and Manila positions us well to capture part of the market migrating south.

The Precision Group is a global business process outsourcing company with offices in Hong Kong, Isle of Man, Jakarta, London and Manila. It provides integrated middle and back-office support solutions, as well as creative and web services for the financial and professional services sector.
For more information, please visit our website at www.precision-group.biz