We remember when back in the day, our biggest security concerns were things as trivial as making sure no one can link to our images from their own site or using a plain session cookie to identify a logged-in user.
Of course, nowadays there are a plethora of security-related issues to deal with. Hackers and people with malicious intent have become commonplace. We now live in an age where there is profit to be made by exploiting vulnerable websites, in a variety of different ways, not the least of which include hacking creditable accounts or personal information, hijacking mailboxes for spamming and taking over your websites content to redirect traffic to the attackers’ site.
What is probably even more frightening is that due to the rapid development of the web and the attack methods used, most websites security practices are completely out of date and extremely vulnerable.
Even if your website was created recently and with the best security practices at the time, it could already be flawed. Here at Elemental, we strive to stay at the forefront of best security practices and to keep our clients informed about when their sites require security upgrades.
Here are some of the more common security best practices used by Elemental at the time of writing this article:
- Personal documents do not have public access and can only be accessed by running through a user identification script.
- Direct script access and directory listings are forbidden.
- Session and login information is stored in a database, not a cookie.
- Prevention of CSRF attacks by means of form challenge tokens.
- Session cookies are encrypted and validated against IP address and User Agent, making cookie theft impossible.
- Public mail forms use captchas (code to validate the user is a human, not a script/robot) and other human verification tricks.
- All uploads and form information is thoroughly validated.
- Information inserted into a database is properly escaped to prevent SQL injection.
- All public or user input is run through an extensive XSS filter to prevent XSS attacks.
- Passwords are stored in a database MD5 encrypted with a ‘salt string’, making peeking and rainbow attacks impossible.
- With logins, passwords are only submitted when MD5’ed and combined with a salt and challenge string that is different on each attempt and relative to your encrypted session, making peeking and copying impossible.
- Limitations are placed on login attempts, to stop ‘brute force’ attacks.
To conclude there are a lot of security measures that should be in place but are often overlooked, ignored or forgotten. If you feel that your website, web application, intranet or Facebook application may be lacking in terms of security we can perform an audit and revert back with feedback in terms of your system’s security status as well as a means of improving and rectifying the problem(s).