A few days ago Oliver presented his 10 essential Web site checks. Except for a few very basic things I didn’t see security on his list, so here are a few essential security checks for your Web site. You will have to scale them to your needs; the Web site of your local juggling club won’t need the same level of security as an Internet business built around a Web application.
- Understand your threat profile
Understand who might be your enemy and what would be the impact on your Web site and the users of your Web site if an attack succeeds. Don’t be overly paranoid but be honest to yourself.
- Use SSL
Although it has its limitations, SSL is a standard security mechanism today and there is almost no excuse for not offering it to your users. It won’t solve all your security problems but it is useful.
- Have a person in charge of security
Security requires continuous attention throughout the life cycle of your site. Somebody should be responsible for security, and this person must have sufficient authority to be more than a fig leaf.
- Baseline protection
Don’t forget the simple things: backup, patches, secure configuration, etc. Be aware, however, that baseline protection will not make your applications and your own code any more secure.
- Build security in
If your Web site serves more than a set of static pages, you must build secure software. Security is not a box in your architecture diagram, it is a set of rules and best practices for software development.
- Test early and often
Everybody makes mistakes, and so will you. Have somebody to point out those mistakes to you before the bad guys find and exploit them. Do not rely on automated scanners too much. They are useful but limited.
- Be hacker-friendly
The best security testers you can get are white-hat hackers who happen to find issues on your site. Be accessible, properly credit those who helped you, and don’t sue the messenger. Don’t be too proud of not having been hacked, though.
- Don’t annoy your users
The point of security measures is to make attacks hard. Their point is not to make legitimate use of the site hard. Putting unnecessary burdens upon your users will likely reduce your security—and the number of users.
- Plan ahead for failures and disasters
They are out to get you and eventually they will. Know what to do if your security failed despite all your efforts. Have plans for incident handling, business continuity and disaster recovery.
- Compliance is just that
Do not assume that compliance with whichever standard or regulation would be a replacement for actual security.
Homework assignment: pick one item and expand it into another list of 10.