The number of features printed on the importance of web product security and how to achieve it are continually growing.
What organisations often fail to grasp is how to measure the risk associated with their online products and be subsequently able to make some measure of the cost effectiveness of the risk mitigation solutions they implement.
It’s easy to make an assumption that online risk is always related to the associated product revenue. To a degree this is true however; there are other factors which must be taken into account. This is important to consider if the web site in question brings in little or no direct revenue such as an online corporate presence, or if any data sources in use by the site are storing private and confidential data.
The level of risk can be assessed through a combination of four factors.
• Revenue: if we are earning significant revenue from our Internet products then we must consider this portion of income against other off-line revenue streams. What would be the impact of the site being unavailable for up to a week?
• Reputation. a good deal of trade both online and off is based on the good name of the business. Consider the reputational impact of the web site being defaced or unavailable.
• Strategic importance: how important is the web site to you? Would there be a significant impact if it were to become unavailable?
• Regulatory compliance. If you are processing or storing data which is subject to legislative control (and keep in mind that this can depend on where in the world you are doing business) then the penalties for not providing adequate safeguards can be high if the data is compromised.
Take for instance recent cases in the USA; online providers have been fined by regulatory body the FDA as the direct result of security flaws within their web sites that have compromised client information. Here in the UK, the Data Protection Act states that any personal identifiable information, including email addresses, being collected and stored must be adequately protected.
Having assessed the risk in all four of these categories, it then becomes easier to determine the cost factors associated with mitigating the risk.
So how do we effectively reduce online risk?
Many solutions such as application firewalls, which put up an effective barrier against the various kinds of hacker-type attacks that your products will be subjected to, are very much geared towards the large enterprise. They are expensive and not really suited to every company.
The best place to start is by considering the most significant risks. These are likely to be denial of service (DoS), product defacement, or online theft. Intellectual property theft or loss of credit card information may also be important considerations.
Mitigation against denial of service is very much going to be in the hands of the hosting service providers and the infrastructure which they provide. Make sure that you know what facilities they have in place.
Many of the other security issues are often the result of a poorly developed product. If the application code has not been written to take into account security it is likely that your product will contain vulnerabilities. This can also be the case when use of made of third party components, such as shopping carts, which may also contain security holes. Always check the associated vendors’ web site for updates and patches.
In summary, measuring risk is important to ensure that we are best placed to decide how and where to spend funds on mitigation. As shown here, much more may be at stake than just the online revenue.
The following online links provide further information:
Information Commissioners Office at http://www.informationcommissioner.gov.uk/
USA Food and Drug Administration at http://www.fda.gov
The Open Web Application Security Project (OWASP) at http://www.owasp.org
This was first published in August 2005