Maksim Kabakou - Fotolia

Security Think Tank: Look at full security development lifecycle to reduce web threats

What are the main web security challenges for organisations and how are they best addressed?

Attacks on an organisation’s website can be used to steal information, to attack users of the site or damage the company through defacement, data destruction or denial of service attacks. The top two vulnerabilities used in such attacks are cross-site scripting (XSS) and SQL injection, accounting for over 50% of attacks.

SQL injection was the type of vulnerability exploited by the 2015 TalkTalk attack. Where a website is supported by a database, an attacker will add structured query language (SQL) commands to an entry to modify the database, or download the contents.

XSS allows a legitimate user of, for example, a blogging site to add a script command to the end of a text entry. When clicked on by another user, this runs with the permissions of that user. This can be used to steal that user’s personal information or deliver malware to them. 

These vulnerabilities exist because of poor filtering of script characters or data typing when the web applications are developed. They continue to occur because every website is bespoke and is continuously updated. Therefore configuration and testing may not always be as thorough as for volume commercial applications. The vulnerability may also be manifested in the underlying database application, as was the case for the SQL injection attack on TalkTalk in 2015.

Addressing this, and other security questions around web security, depends on the nature of the site. For a simple site with minimal functionality, it may be possible to rely on a skilled developer who knows how to securely configure the server and can also undertake a rigorous code review, together with an initial penetration test and a patching regime. 

Generally, a web application firewall (WAF) should be used to protect sites that are potentially vulnerable to XSS, or SQL injection, but the rules will need to be updated from time to time to match the functionality of the website.

For more complex websites that are continuously evolving, rigorous testing is probably not practical every time an update is made, and ongoing vulnerability scanning should be considered. Vulnerability scanning services are provided as a service by several companies and involve regular vulnerability scans of the site, including those that would allow a SQL injection, or XSS attack.

In addition to addressing the main SQL injection and XSS issues, there are a number of other considerations to be made in the deployment and maintenance of a site. Most organisations today use a hosting company to implement and manage their website.

For smaller companies without a security team, this can help with patching and general security maintenance. However, it’s important to check the security measures they offer, especially in terms of security monitoring, distributed denial of service attack (DDoS) mitigation, their responsiveness to security incidents and their processes for dealing with incidents.

If you need to host the website yourself, perhaps because you are delivering a web-based service that requires close coupling to your own systems, then you will need to make sure your own systems are protected and separated from the web server itself, to prevent the web server being used as a Trojan horse to attack your operational systems. 

Whichever approach you take, supply chain security also needs to be considered. There have been instances over the past few years where an attacker has attacked a website tool developer and modified the code of the tools used to build a website so that every site they build includes backdoors open to the attacker, or pre-placed malware. While this is not easy to detect, the security stance of the provider may be relevant and security testing of the site should take this possibility into account.

I have outlined the most common risks associated with web security, but to improve your overall cyber resilience, it is important to consider the full security development lifecycle as much as possible. This includes risk and threat assessment, application of coding rules and automated code analysis.

Read more on Hackers and cybercrime prevention