Expert Advice for Securing Your Site and Your Reputation
Is your company's Web site hacked?
In fact, according to a Websense Security Labs report (pdf),
To find out how a company can protect its site and its good name from being hijacked, I talked with Jeremiah Grossman of WhiteHat Security at last week's RSA security conference here in San Francisco.
His company helps secure sites by scanning for exploitable holes, but the custom
First, know where to look. Grossman says most exploitable vulnerabilities lie in the Web application layer, where custom code handles the communication between the Web server software and the database back-end. This makes sense, because a piece of Web software written by your own software developers isn't going to undergo the same security testing as say, the Apache Web server or an Oracle database (though said apps are subject to plenty of vulnerabilities themselves).
So Grossman says to make sure your developers are using current development tools, such as Ruby on Rails, and not old, outdated tools such as Classic ASP that can introduce holes.
Next, he suggests that you look into using a hosting provider instead of maintaining your own network and Web servers. Again, such companies don't provide guaranteed security, but they're more likely to keep systems up-to-date with security patches than a single, often-overworked systems administrator at a small company. I've worked as a sysadmin, and I know first hand how applying patches can often fall to the bottom of the to-do list when there are fires to fight.
If you only have a simple site with information on your company or your own professional services, you can find a number of free or inexpensive options for building and hosting your Web site, including a new beta offering from Grossman and cohorts at Roxer.com.
Finally, if you do host your own site (or want to double-check the security at your hosting provider), you should at a minimum use free tools or inexpensive services to check for known and commonly targeted holes in your network and servers. Grossman says the free Nessus security scanner I used to use years ago is still a good downloadable tool, and that Qualys (at qualys.com) offers an inexpensive vulnerability scanning service as well. Neither will find flaws in your own custom Web apps, but will help identify red flags like unpatched Web servers.