10 Essential Security Checks

[Get only posts in English]

A few days ago Oliver presented his 10 essential Web site checks. Except for a few very basic things I didn’t see security on his list, so here are a few essential security checks for your Web site. You will have to scale them to your needs; the Web site of your local juggling club won’t need the same level of security as an Internet business built around a Web application.

  1. Understand your threat profile
    Understand who might be your enemy and what would be the impact on your Web site and the users of your Web site if an attack succeeds. Don’t be overly paranoid but be honest to yourself.
  2. Use SSL
    Although it has its limitations, SSL is a standard security mechanism today and there is almost no excuse for not offering it to your users. It won’t solve all your security problems but it is useful.
  3. Have a person in charge of security
    Security requires continuous attention throughout the life cycle of your site. Somebody should be responsible for security, and this person must have sufficient authority to be more than a fig leaf.
  4. Baseline protection
    Don’t forget the simple things: backup, patches, secure configuration, etc. Be aware, however, that baseline protection will not make your applications and your own code any more secure.
  5. Build security in
    If your Web site serves more than a set of static pages, you must build secure software. Security is not a box in your architecture diagram, it is a set of rules and best practices for software development.
  6. Test early and often
    Everybody makes mistakes, and so will you. Have somebody to point out those mistakes to you before the bad guys find and exploit them. Do not rely on automated scanners too much. They are useful but limited.
  7. Be hacker-friendly
    The best security testers you can get are white-hat hackers who happen to find issues on your site. Be accessible, properly credit those who helped you, and don’t sue the messenger. Don’t be too proud of not having been hacked, though.
  8. Don’t annoy your users
    The point of security measures is to make attacks hard. Their point is not to make legitimate use of the site hard. Putting unnecessary burdens upon your users will likely reduce your security—and the number of users.
  9. Plan ahead for failures and disasters
    They are out to get you and eventually they will. Know what to do if your security failed despite all your efforts. Have plans for incident handling, business continuity and disaster recovery.
  10. Compliance is just that
    Do not assume that compliance with whichever standard or regulation would be a replacement for actual security.

Homework assignment: pick one item and expand it into another list of 10.


About Sven Türpe

Sven Türpe is a computer scientist. His current research focus is on security engineering methods, techniques, and tools. All opinions expressed in this blog are his own.

One thought on “10 Essential Security Checks

  1. Your list is definitely more security orientated but less about last minute checks. More important, I am not to sure who needs what. Could you make an example or rather a classification – juggling club vs. small enterprise?

Comments are closed.