Understanding Web Application Security
If the Pentagon and the Whitehouse can both be hacked, then so can you. Now, please don’t think for a second that I think the members of the Pentagon and Whitehouse are in any way more intelligent or better than you (I’m convinced of quite the opposite – without even meeting you), but I am assuming they have pretty good cyber security.
The long and short of it is that all web applications especially those that are accessible via the internet are vulnerable to attacks. The objective of an attack can range from something for an inquisitive teenager to do on a lonely night to conducting criminal activity such as using your server for their own purposes to stealing data.
Despite media coverage and recognition of the issue by most, I still get the sense that many people assume they are at low risk compared to everyone else. This is the same for big corporates, small businesses and one-man band websites.
Three misguided things I often hear are:
1. I don’t need to pen test as my hosting provider has a good firewall.
There is quite a common assumption that a good firewall is enough to keep a web app secure (particularly with hosted systems, PAAS or customised SAAS solutions). They then conclude incorrectly that ensuring the site and the code is not able to be hacked is unnecessary. This is flawed. And reckless. And stupid.
A firewall is simply the first line of defence. If breached, or even sidestepped completely as is often the case, a website should be able to withstand an attack.
2. If a hacker really wants to get in, then they will do so regardless of what I do.
Well, yes, maybe. However, don’t assume that every hacker has the skill, time or tenacity required to hack in. If you make it hard enough, the vast majority of attacks will fail. By minimising the vulnerabilities and creating multiple lines of defence you are making it more difficult to be hacked.
Attackers look to exploit the vulnerabilities. In the same way you need to minimise the vulnerabilities of your house. As well as locking the door, you still hide the jewellery when you go on holiday.
3. My site doesn’t have any valuable data or anything worth being hacked for
It’s true that the majority of breaches that hit the headlines are often about data theft however the majority of hacks to use your server as an email relay for spam, or to set up a temporary web server, normally to conduct illegal activity. Using your server to mine Bitcoins is getting more common these days.
If compromised, your website can be used to redirect your visitors to fake or bogus websites, install viruses on visitors’ own computers (sometimes to steal their personal data), send emails or attack other websites.
If I had to summarise, there are six things you need to do to keep your site safe:
1. Make sure admin passwords are super complex and safe. Also change the admin username to be something a hacker won’t guess. Never leave it as “admin”.
2. Get a good firewall
3. Get some good anti-virus software
4. Keep your software, including database versions, operating system and WordPress up to date with latest patches and releases.
5. Ensure good coding standards
6. Have your site scanned and penetration tested on a regularly basis to identify vulnerabilities so that they can be fixed.
Assuming therefore that you have secure passwords, you have a good firewall and anti-virus. I’m pretty sure that most people have no idea whether the coding standards your developers might or might not have had, might or might or might not have been adhered to, so what do you do next?
The answer is to perform a vulnerability assessment (sometimes called a security scan) and a penetration test (sometimes called a security test). A security scan and security test will let you know how secure your web app is, allowing you to make any necessary changes. If a tester can compromise your site, server or network, then a hacker can too.
Is a security test the same thing as a security scan?
I know that some may argue with me, but I’m pretty comfortable stating that a security test and a penetration test are the same thing and the terms can be used interchangeably. However, sometimes the phrase security test and security scan are wrongly used interchangeably.
A security scan (or vulnerability assessment) uses a set of automated tools to scan your server, infrastructure and web application to look for known vulnerabilities – such as out of date patches, old versions of software operating systems or database systems. In general, these vulnerabilities can be easily removed with an upgrade.
A penetration test or security test often starts with a vulnerability scan, to see if there are any flaws that can be exploited and give the security tester (who is simulating a hacker) an entry point into your system. A penetration tester (a real person) then tries many different ways to hack into your system.
The objective of the penetration test is to identify the various ways a system can be hacked so that those vulnerabilities can be rectified.
Like a functional test simulates real user behaviour of a system, a good security test simulates real world attacks by hackers. A penetration tester will adopt the role of a hacker attempt to breach your defences to get access to your web application, and ultimately the data, web pages, server or network. Once inside, what they can get up to and exploit depends on the further defences you may or may not have in pace. Such things as segregation of data and application code, different admin usernames and passwords for different components of your technology stack, anti-virus software, encryption will all limit the damage that can be caused once the perimeter is breached.
Typically, a security test will identify many (we are talking in the tens or hundreds) of vulnerabilities. These will be prioritised as high, medium and low risk so that the development and infrastructure team can then fix them. Like functional testing, the fixing should be followed by a second round of testing to make sure the vulnerabilities are no longer present.
How often should I security test?
It's recommended that you execute a security test with every release and at least once a year as cyber-attacks are constantly evolving. It’s also really easy to inject vulnerabilities into your code. Good penetration testers will be aware of all the vulnerabilities and new techniques exploited by hackers as soon as they become known.