Steps to develop secure and trustworthy websites and web applications

submitted by Betha Aris CEH/CISA/CISSP, System Specialist

What role should the System Administrator and Developer play in the creation of more secure websites and web applications? Here is a step by step guide:

Securing the Web Server
Web server is one of the many public faces of an organization. Let’s take a look at some of the threats and solutions to secure the server:

• Operating System Hardening
  OS Hardening is a method to safeguard the Operating System from intrusions. It was developed due to the rise of computer hacking incidents. Before using, remove all non-essential tools and utilities so the security features of the system are activated and configured correctly.
• Protecting from Denial of Service Attack
  Denial of Service (DoS) attack is an attempt to make a computer resource unavailable to its intended users. The main types of DoS attack are Buffer Overflow, SYN Flood, Smurf Attack and Zombie attack. The ways to prevent this attack can be done by installing a good firewall to filter out potentially dangerous packets. Again, out-of-the-box System Administrator will likely be set up for ease of access to proactively search for damaging programs.

• Protecting the Server from Remote and Local Exploitation
  There are a bunch of gangsters: they want to control your network, they want to deliver your emails, they want to know who does what and they try to shut down everything. Open your eyes and keep up to date with Vulnerability Development news; also apply regular patch on the system.

Securing the Database
Database server is the foundation of virtually every electronic business, and the database hold sensitive financial data and must be guarded from competitors and unauthorized internal access. These are the actions you should also be taking to configure and operate a secure Database environment.

• Securing default user accounts
• Securing database access
• Audit data access
• Patch the database server from known and unknown vulnerability

Securing the Code
There are several ways hackers can manipulate the URL of a website to perform remote exploitation (SQL injection, XSS attack, RFI attack, Remote buffer overflow attack, etc). These are just some general tips about keeping your web-applications protected:

• Have your web code reviewed by a person to identify and correct vulnerabilities.
• Do not instantly trust open-source code. If you find a nice open-source CMS on the internet that you would like to integrate into your site, use common sense and audit the original code. You can search for various web exploits and then read through the code yourself.

Monitoring the System
In order to protect the network from intrusions, you can apply the following intrusion prevention: Apply host-based intrusion detection system or network intrusion detection system. These systems are highly configurable and feature detailed logging, analysis of attacks and security alerts. These two systems complement other forms of security systems and add another defense against the growing security threat faced by all organizations.

Vulnerability Assessment
There is a high amount of new vulnerabilities discovered on a daily basis and it is important to do regular network vulnerability scanning of all your systems to ensure that your configurations are correctly set and that you have the proper security patches applied.

• Regular Audit
  It is recommended to perform an IT audit procedure on a daily, weekly or monthly basis (depends on IT organizational policy) to ensure your computer is scanned for the latest threats and if at risk, you are immediately alerted.
• Keep the System Up to date
  Install and patch the system from trustworthy web sources as possible with the latest security updates.
• Vulnerability Scanning
  Vulnerability scanning can be used to conduct network reconnaissance, which is typically carried out by a remote attacker attempting to gain information from a network. You can use some various standard vulnerability scanners like Nessus Vulnerability Scanner that provides a view of your networks as seen by outsiders. It uses Nmap to scan for open ports and then attempts to determine what vulnerabilities may exist for the services it finds. It can then provide a detailed report that identifies the vulnerabilities and the critical issues that need to be corrected.

The Precision Group is a global business process outsourcing company with offices in Hong Kong, Isle of Man, Jakarta, London and Manila. It provides integrated middle and back-office support solutions, as well as creative and web services for the financial and professional services sector.
For more information, please visit our website at www.precision-group.biz