Five Web Application Security Myths (Part 1)
Many Companies fail to Make the First Step Towards Security because of Misconceptions and Security Myths
Protecting your website from hackers is tough. The battle between the good guys (you) and the bad guys (the hackers) is an ever escalating war where a misstep on your part may mean a breached site. But, many companies fail to even make the first step towards security because of misconceptions and security myths, either believing simple security protections are sufficient or thinking they really do not have to worry about hackers. The following notes cover some web security myths.
1. SSL is The Panacea of All Security
2. Security Through Obscurity
3. Not Worth The Trouble – Nothing to Steal
4. The Totally Secure Website
5. Hackers Are Just Geniuses Gone Bad
1. SSL is The Panacea of All Security
Secure Sockets Layer (SSL) is probably the best know and least understood web security measure in our protection arsenal. As you may know, SSL is a means of encrypting data passing between your browser and web server. When you are conducting private transactions (i.e., financial, medical), your transmitted data does need to be encrypted, or it can be easily read by anyone who ‘sniffs’ your information along the way.
While an argument can be made that SSL (encrypted data) was the single most important technology piece in the growth of the internet as the transactional system is today; one cannot extend that premise to say it is the only technology piece that is required.
The myth behind SSL is the prevalent belief that SSL is all there is for web security – keep the bad guys from looking at my transmitted data and I’m OK. The thinking goes to say, as long as the bad guys cannot read data being sent between your browser and web server, all is safe. Unfortunately, this is like saying your home privacy is safe as long as no one can tap into your telephone line. What about your door locks, cleaning people who might spend every Tuesday at your home (perhaps alone), or the credit card information you put to the curb every month?
So, yes, SSL is essential to Web security, but is only a small part of the total picture. SSL will not solve your security concerns.
2. Security through Obscurity
Many people believe their website is such a small fish in the Internet ocean that no respectable hacker would lower himself to even take a look. The problem is that the hackers, usually script kiddies running automated tools, are looking at everyone’s websites – if for no other reason than it is simply easy to do. Your site, whether it is Bank of America or just a site displaying your collection of Beanie Babies, is always being probed by hackers using scripts.
If your site has any vulnerabilities, and it probably does, automated tools will find and flag your site, setting you up for a live person visit it the near future. Who knows, maybe your website really doesn’t have any value, or maybe the underlying SQL database on your server is fertile ground for identity theft information. It’s fair game, and as far as automated scripts are concerned, just as valuable as your online banking site.
But whatever you do, do not believe the size of the ocean makes a difference to the hackers. The sharks have you covered, however small you might be.
More to come – please check back for Part 2
