news / tech talk

Web Site Security. Is your Online Business Safe?

by Lee LeClair
As seen in Inside Tucson Business

A common question asked by business owners who rely on “working” web sites (that is, web sites with applications and databases behind them that interact with people) is whether their systems are secure enough. Today, its fairly common practice to have a firewall and a digital certificate to support encryption (SSL) of sensitive data like credit card numbers, but is that enough? Unfortunately, it is not. Computer security is an ongoing struggle that requires care and vigilance whether you are running servers or PCs.

As a business with a working web site, you probably have a web server and database operating your site. You’ve duly set up your firewall and only allow access to HTTP and HTTPS. Maybe you’ve got an antivirus program running on your server. If you’re exceptional, you even find and quickly apply security patches that come out for your server operating system. Isn’t that enough? It is pretty good and you need to do all of those things, but you need to do yet more. Having a firewall often provides a false sense of security whether it’s for your servers or your home PC.

What a firewall does is block forms of network traffic that you do not want to reach your servers. But you still have to communicate with your customers so you allow only web traffic (i.e., HTTP and HTTPS protocols). Your working web site uses these protocols to allow customers to view your web pages and interact with programs you have working on your website. Your web programs may provide a shopping cart, discussion forums, or any number of functions for your customers. What you need to be careful of now is how your web programs work as they communicate with your customers.

Unfortunately, in amongst your customers are the bad guys, mixing in with your customers and probing your web site applications for weaknesses. You can’t keep them out with a firewall because they are using the web protocols you allow (HTTP and HTTPS). What are they looking for? They are looking for ways to exploit your web programs to get more information than you want to give them, take control of your servers, steal something from you, or steal something from your legitimate customers. How can they do that?

They can do it in several different ways. They will look at how your web programs work, what technologies you use, if your programs expose any information, how they accept information from customers, how they interact with databases, and how they interact with users’ web browsers. The technical names for what try to do include buffer overflows, SQL injection, cross-site scripting, etc. Essentially, users interact with web servers through a process of filling out forms and submitting them to the servers. If you think about the process for ordering something from Amazon or any online store, you select what you want and then fill in information about your address, how you want it shipped, your payment information, and then you place your order by clicking on the submit button. Even if the connection is encrypted, the backend server programs could be vulnerable to a buffer overflow, SQL injection, or cross-site scripting attack, etc.

What should you do to protect your business web site? Make sure that your programmers understand what these attacks are and that the best way to fight them is to trust no data that users submit. Every data field submitted by a user should be limited in size and checked for allowable types of data. Anything else should be filtered out. Your programmers should ensure that your web programs reveal nothing (or the least possible) about backend actions happening on your servers. Then, have your site tested by a technically knowledgeable team for how well it works and to see if it can be broken. Finally, check your logs and web site statistics for any strange activity. And do keep that firewall out front and the patches up to date!

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business