Every website and application has vulnerabilities, and each of these vulnerabilities can expose your site or business to harm- be it through the loss of valuable data or damage to your companyâ€™s reputation if the exposure becomes public.
Generally speaking, website and hosted application vulnerabilities fit into two categories: security and availability.
Security vulnerabilities introduce the possibility of public exposure of sensitive data, either through deliberate or accidental means. Loss of availability can mean either permanent loss of data, or the temporary loss of service, i.e. the website is unable to be accessed.
Both kinds of vulnerabilities pose a risk to your business. In particular a security breach or an extended loss of availability could damage your companyâ€™s reputation or violate your clientsâ€™ privacy. The loss of data (either through theft or equipment failure) can also be detrimental and result in loss of business and damage to your companyâ€™s reputation.
Below we’ll explore the various vulnerabilities and issues your website can be exposed to, and what questions you should be asking your developer to ensure that they are being addressed. It’s not an exhaustive list, but it’s a strong place to start…
Security vulnerabilities can be physical (i.e. physical theft or breach of systems), or can involve the compromise of data or communications.
Physical security relates to protection of the servers and components that host and support your website or application.
Physical security is important to ensure that only authorised personnel can access this equipment for approved purposes.
Data is the client and business data stored in databases and file systems. Data security involves not only access protocols (how the data is accessed), but also how the data is stored, i.e. encryption.
When you or your clients access your website they are communicating with the application systems. Each time a user logs in, loads a webpage, fills out a form or clicks a link, information flows between the user and the web server.
While there is some level of standard security applied to these communications, they can be vulnerable to â€œeavesdroppingâ€, i.e. when a third party intercepts these communications in order to discover passwords or other sensitive information. This vulnerability can be addressed by encrypting communications via https, a secure http protocol.
Another form of communication is when developers or support staff need to access the systems hosting your application.
Application level security
As well securing system infrastructure and communications, security policies can be extended to the application itself. These might include: implementing a password policy (such as requiring users select â€œstrongâ€ passwords that conform to certain rules), session timeouts that automatically log out inactive users, no sensitive information being stored in cookies, implementation of a security model that has well-defined user roles and access privileges.
Availability and service reliability
A web application is made up of several components: the application source code, the databases that store and retrieve data, the web services that serve the application via the internet, and the equipment that hosts these programs.
The equipment requires a specialised environment to maximise running efficiency, reduce the risk of breakdown and provide system redundancies so that a continuous high quality service can be maintained.
In the case of hardware failure or permanent loss or corruption of data, backups are required. Backups should be made of both data and source code so that the system can be quickly restored in case of a serious loss or failure.
Another important aspect of service availability is monitoring of the application so that those supporting the application can be made aware of any issues and take appropriate action. Monitoring should cover issues such as availability, performance and errors.