A solid level of security can be achieved with a fairly simple checklist, while the list is easy to understand, the strategy and time required to implement for your website will vary.
Your authority on website security should be OWASP which is the Open Web Application Security Project. Each year they publish the top 10 web application security risks.
OWASP mostly aim their material at developers, while our article makes this information accessible to business owners who may be managing a development team.
What is it?: Injections are the single most exploited flaw across websites, these are where an attacker tricks a website into implementing a malicious set of instructions, usually on the Database.
How is it done?: An attacker will often target forms on your website but instead of typing in genuine expected information like a first name or phone number, they will attempt to enter instructions for your database to perform such as bringing back a list of your important data.
What is the impact?: An injection has the potential to create data loss, corruption of data, unauthorised access to all of your data. Full access to data can also mean gaining full access to your application which could also allow them to discover and jump to other applications that you manage.
What can you do?: The fix is rather simple, your developers must start using prepared statements or stored procedures, these are both methods that treat all data entry as purely data and not instructions. The solution is effective as long as your developers don’t later use ‘exec’ functions which would circumvent the safety of the solution.
What is it?: Broken authentication is where authentication systems are generally put together incorrectly or to a minimum standard that is not able to resist common attack issues.
How is it done?: Hackers will attempt to brute force user account logins through password lists or stolen credentials from other websites that your users may have registered with using the same password.
What is the impact?: Impact will vary depending on which accounts can be compromised, at minimum this could result in your user details being stolen, at worse access to an admin account could easily escalate to a whole system takeover.
What can you do?: Implement multi-factor authentication, utilising something like a code sent via text to validate the action of logging in or performing important actions will reduce the likelihood of these attacks being successful since an attacker would need both stolen credentials plus access to a different asset of the target.
What is it?: Improper protection of sensitive data can leave it vulnerable to attackers who have gained access to the system or some part of the system where data flows through.
How is it done?: Websites using weak or no SSL certificates are susceptible to being intercepted. Additionally if this data has not been suitability encrypted it offers no challenge to attackers.
What is the impact?: Improper protection of sensitive data will put your users at very high risk, with the kind of data you store potentially opening them up to identity theft. Your business will lose significant trust in the market and you may be fined in accordance with GDPR or local privacy laws.
What can you do?: Use secure implementations of SSL, encrypt sensitive data such as passwords & credit card information and discard any information that is no longer needed immediately.
What is it?: Older or inappropriately configured XML processing systems have a weakness where the action of downloading external files can be exploited to gain unauthorized access to the server
How is it done?: Attackers can upload XML with a dangerous file they have engineered that works to exploit the vulnerabilities present in these systems.
What is the impact?: These attack files can be used to pull data or scan the network or perform a DoS attack to bring your application down
What can you do?: Switch to simpler data types such as JSON where possible or ensure you have upgraded your XML system to the versions that no longer suffer from this issue or disable the feature for external entity processing.
What is it?: Restrictions that selectively enforce what users can and cannot do on your system are often poorly implemented and may not work in all cases, hackers can use this to perform privileged tasks that they should not be able to achieve.
How is it done?: Hackers will try to perform actions that should not be available to them, they may construct the request in alternate software and test it live on your site to gain access.
What is the impact?: Hackers may be able to view information or access files that should be off limits to them, additionally they may be able to perform actions that should only exist for admins or testing only.
What can you do?: Ensure that denying access is the default to any action, only when explicitly elevated privileges for that specific user & action exist should it be performed. Abstracting all actions through an internal API provides a layer of protection to your application.
What is it?: Security misconfiguration is when the wrong policies are applied to your application as a result of using the default settings. Attackers can use these to discover further vulnerabilities in your system.
How is it done?: Attackers will try to work out which versions of software your application is running to run known exploits against it. Other issues involve using default admin password combinations to gain entry.
What is the impact?: Misconfiguration can leave your application weak to being circumvented with very little disruption or notice, however this leads to the unauthorised access of your data and depending on which technology you use could also result in the complete takeover of your system.
What can you do?: Better education in your development team and the introduction of a quality assurance check to be done which should encompass an understanding and implementing software in the secure process as specified by the vendor documentation or with further reading.
What is it?: XSS vulnerabilities happen in websites that naively trust data that it includes on a web page. The source of this data may be in the URL, a form field or data pulled from 3rd parties which when included on the website create some sort of front-end functionality often malicious in nature.
How is it done?: When an attacker knows there is an XSS flaw they will craft a small web application that they intend to include on your website and run it as if it were part of your website.
What is the impact?: XSS can be used for delivering 3rd party ads, or creating account phishing scams or as a method to deliver malware to your users.
What can you do?: XSS can be tackled in a variety of ways but a combination may be stronger. All data that is going to be displayed on your website should be filtered or escaped to prevent it being rendered as an application and instead. You can also create a Content Security Policy which provides instructions on which source of data can and can’t be run on your website.
What is it?: When your application runs it has certain reference data, such as who is the logged in user. Sometimes these states are saved so they can be reused later, this is called serialization. This also means somewhere else your application is going to deserialize and re-use this reference. Tampering with the reference data before it is deserialized can allow hackers to maliciously change who they are or what rights they have.
How is it done?: Tampering with serialized data is harder for attackers to do, usually it requires a bad implementation from your application such as temporarily storing the serialized data on the users’ computer rather than on a database which puts the reference data in their hands.
What is the impact?: If successfully performed a deserialization attack can be very dangerous allowing switching of accounts, escalation of access rights and a potential full system takeover.
What can you do?: Your application should stop accepting serialized reference data from anywhere that it cannot trust. There are other passive methods such as logging changes to better identify when reference data is tampered with which may help you identify when it happens.
What is it?: Reliance on older 3rd party components such as libraries, frameworks or plugins carry a risk, if a vulnerability is known a hacker can target your application with a known exploit. These sorts of attacks are quite easy to find documentation for meaning almost any attacker can try it.
How is it done?: Most components run with very high access rights, that means an attacker can engineer and attack against an outdated component and run their exploit with maximum privileges. These are very common attacks.
What is the impact?: Depending on the component your using will determine the sort of issues you can open yourself up to, these can range from quite minor to extremely serious, especially if the component is a core part of your application.
What can you do?: You should always aim to reduce your 3rd party dependencies especially when they themselves have large dependency trees that you are now using. Where possible re-build 3rd party components yourself into independent functionality.
What is it?: Insufficient logging is very passive, it may not be the cause of an attack, but missing out on appropriate logging means that when attacks are happening you have no idea and after they are done you have no clues.
How is it done?: Attackers will often prefer systems with little to no logging or monitoring, the reason is that this allows them to create their attacks, test them and finally implement them with an almost unlimited amount of time to do so. The chances of an attack landing are much higher in this situation.
What is the impact?: The issue allows attackers to probe quite heavily at your systems to reach a perfect attack. This can amplify any of the other attacks listed.
What can you do?: Make logging part of your system, the specific appropriateness will vary based on your project but you want to be keeping track of as many actions on your system to allow you to spot malicious patterns before an attack or to find answers after an attack to get back on your feet faster.
Security moves at a fast rate, new vulnerabilities are discovered and new attack vectors are created. Following a top-10 list you find online like this one may help you get started but it is not a strategy for staying on top of security threats.
As a starting point you should ensure that your development team are aware of the OWASP top 10 and check in on it yearly for new threats and solutions. While OWASP is the authority on web application security today, they may not be in the future, so regardless of what year you find this article the advice for sticking to best practices offered in this section should be timeless: