How To Build Secure Websites

Cyber crime rates have doubled in the past 12 months and cyber criminals are attaching online websites left and right. Network administrators, IT managers, software architects and web developers are responsible for building and maintaining secure websites.

In this article, I will cover some basic tips that will help you build secure websites.

We can divide website security into two categories – developing and maintaining. Developing secure websites falls in the lap of developers and architects and maintaining secure websites is a responsibility of server administrators.

Developing secure websites

Building a secure web application is the first step towards building a secure website. If a web application has security holes, it is more open to attack by hackers. As a matter of fact, SQL Injection is responsible for 62% of cyber attacks and hacking. You can read a full report in my article, Top 10 Web Application Security Risks.

Before a web application can be deployed to a Web server and exposed to the outside world, it must be developed securely. The group of people who are responsible for building secure web applications are architects, database administrators, and developers. Testers are also involved in the process.

Here is a list of some simple tips for Web architects and developers to build secure web applications.

Encrypt Data

Data security is the most important aspect of Web security. Most of the data stored in databases is plain and open. While most of the data can be stored plain, sensitive data must be encrypted in the database. The cost of storing encrypted data isn’t much. As a matter of fact, these days, most of the new versions of database systems come with built-in encryption options. For example, SQL Server 2017 lets you encrypt the entire database using simple SQL commands. Check out Always Encrypt In SQL Server 2016.

Some of the common data that must be encrypted include user ids, emails, passwords, social security numbers, date of birth records, credit card details, password hint answers, personal health records, private chats and messages, financial records, and banking information.

On top of this, you could apply a double encryption (in code) on the most sensitive data such as passwords, credit card information, social security, and anything else you think is valuable.

This one simple step is a part of application architecture and database design that does not require a ton of overhead.

Stop SQL Injection

SQL Injection is responsible for 62% of cyber-attacks and hacking. SQL Injection is a technique hackers use to exploit SQL queries and URLs used in web applications. Here are two good articles, Protect Your Data – Prevent SQL Injection and Best Practices to Prevent SQL Injection. To learn more and how to write code to avoid SQL Injection, here is a list of more Articles on SQL Injection.

Remove Embedded SQL

Using embedded SQL queries in your code may lead to an easier path for hackers. If possible, use stored procedure or encrypted queries to make it difficult for hackers. If you must use SQL queries, under no circumstances should SQL queries be a part of your presentation layer code (HTML, ASP.NET, JavaScript etc.). They must be moved to your server-side code. If you’re just building UI layer, the data transfer should be performed via secure APIs.

Secure Credentials

Developers often store database server credentials in configuration files. No matter what, all database servers and other server connections and settings must be encrypted. Try to avoid hardcoding server credentials. If you must hardcode credentials in your code, make sure they are encrypted and the private/public key is stored securely somewhere.

Database systems may also have a mechanism to secure database connections. For example, SQL Server and Azure SQL allow secure database connections. See Enable Encrypted Connections To Database Engine.

Enforce Complex Passwords

Simple passwords is one the reasons most hackers get into a system. According to the Verizon Data Breach Investigations Report (DBIR), 63% of confirmed data breaches are due to weak or stolen passwords.

The complexity of passwords, also known as password strength, is a measure of the effectiveness against attackers. Here are some of the key points developers can enforce to create complex passwords.

  • Have a minimum length of passwords of at least 8 characters
  • At least one upper case, one lower case, one number, and one special character
  • Don’t allow names and user ids as a part of a password
  • Don’t allow old passwords to be repeated
  • Enforce password change (for some systems) frequently (for example, every 60 days)
  • Password reset should have security questions and/or email and phone number pin verifications

Implement Proper Authentication and Authorization

Broken Authentication is the number-two cause of Web application security risks according to OWASP Web Application Top 10 Security Risks. By implementing recommended best practices, developers can avoid major security risks in their applications. Applications that implement incorrect authentication and session variables lead hackers to hijack passwords, keys, session tokens, and other credentials stored in sessions. Cookies are another method that can be used to exploit application security. Here is a good article: OWASP Authentication Cheat Sheet.

Secure APIs

APIs are a common data exchange mechanism between applications. Developers must ensure that all APIs are secure and use SSL and other best practices. The connection credentials and other sensitive data must be properly encrypted.

Implement Exceptions and Error Handling

Proper exception and error handling may not fix the application security but can lead to troubleshoot the problem that can be patched. Developers must make the habit of implementing exception and error handling part of their coding practices.

Implement Logs and Analytics

Logs and analytics do not fall in the security bucket but can lead to finding and fixing the hole. Tracking and logging in activities such as user login, location, browser and so on can help track suspected users of a website. Developers should make a habit of implementing analytics such as Google Analytics for public websites that keep track of almost every activity of the website's visitors.

Keep websites secure and out of reach of hackers

Once a website is developed and deployed, it is up to network administrators and IT managers to secure the website and keep it secure from the attackers. Here are some of the key items to consider.

Keep Web Server Secure

Web Server is one of the most important and critical components of a web infrastructure. Web server is responsible for hosting a Web site and its related code, services, and all required files.

Here is a list of tasks Web server administrators should perform to keep Web and Database servers secure.

  • Separate development, staging, and production environments
  • Keep Operating System on its own hard drive partition
  • Enable tight security on Web Server including permissions and access
  • Keep separate user logins and their permissions based on their roles
  • Remove unnecessary services and don’t install them during installations
  • Disable remote access. If you must provide remote access, it should be on a secure network
  • Keep web application, scripts, and all code on a separate partition of the hard drive
  • Install Firewall and necessary products
  • Websites should be secure using the latest version of SSL and other protocols
  • Close all default open ports
  • Make sure to change and separate Admin logins and passwords from Web application administrators
  • Configure and enable Web server and other logs
  • Provision web server for latest technologies such as containers
  • Make sure to allocate and separate proper resources for web applications and services
  • Avoid using shared servers among multiple clients
  • Do not enable write permissions on server’s file system

Secure Database Server

Here is a list of tasks database administrators must do to secure database servers.

  • Make sure database server is separate from a Web server
  • Secure and encrypt login credentials
  • Implement separate user logins for separate web applications
  • Don’t give database users write and delete permissions unless necessary
  • Use object permissions on database tables and objects
  • Use secure mechanism to provide data access
  • Store and monitor database logs

Security Patches and Updates

Keep your servers up to date with the current patches including OS patches, database upgrades, and other software upgrades.

Monitor Traffic

Implement proper mechanism to monitor server traffic and implement fraud protection mechanism for suspected traffic.

Monitor Application Logs and Exceptions

Web applications must implement recording of recommended logs and exceptions. Server administrators should work with application managers to monitor application logs and exceptions frequently.

Audit Server Logs

Monitor server logs frequently.

Educate Users

Server administrators must educate Web administrators, developers, and even management about the importance of security and discourage them to download and make frequent changes. All changes on the servers must be logged, reviewed, and approved.

References

https://www.acunetix.com/websitesecurity/webserver-security/

http://www.applicure.com/blog/database-security-best-practice