Kevin Beaver's Security Blog

What do you do for Web site security…?

I received an email yesterday from Redmond Magazine (a good trade rag) that caught my attention. The title of the email said “Trust in Web Site Security is Declining. What Should You Do?” I thought, really!?…are you serious? and well, I don’t know what to do, let me see just what the solution is. [tongue in cheek]

Low and behold it was an email sponsored by Verisign about their whitepaper entitled “Maximizing Site Visitor Trust Using Extended Validation SSL”….I thought: Oh yeah! That’s what you do to make your Web site secure, you use SSL. I’ve always been a big advocate of SSL for locking down all things Web-related. Not.

I actually feel pretty strongly about SSL not being the solution to Web security as evidenced here and here. Not that I’m biased about things I feel passionate about…Seriously, extended validation certs can be beneficial in the right context but there’s WAY more to Web security!

The point I’m trying to make is that if trust in Web site security is declining and you need to know what to do, then you shouldn’t rely on technical solutions such as SSL and application firewalls for everything. SSL and application firewalls do serve their purpose. SSL is easy and you might as well do it. It’s another layer of security. Application firewalls do block a lot of malicious traffic. BUT they should only serve as a last layer of defense. Not the main layer of defense as I’m seeing a lot of people turn to – as in the case of PCI DSS requirement 6.6 .

All in all, technical controls at the Web layer mostly serve to cover up underlying security problems that need to be fixed where they started – the source code and/or server/application configuration. Does that mean you need to do a source code analysis? Not necessarily. HP and Klocwork aside, many of the static analysis tool vendors aren’t really that easy to deal with anyway based on my experiences with them. I’ve been a big advocate of source code analysis in the past but not to the extent that you have to deal with inflated egos, inflated prices, and bow at the alter of vendors to get anything done.

Some basic and periodic Web security scans looking at your site from an untrusted outsider’s perspective AND a “trusted” user’s perspective are what you really need at first….If you’re going to have a secure Web site or application and don’t have the expertise in-house, hire an outsider to perform an independent web security assessment (such as yours truly). Whatever you do, just hire someone. Whoever does your Web application security assessments, make sure good tools like WebInspect (I know the Web site is lame but the product really is good) and Acunetix Web Vulnerability Scanner are used…and scans are done on a consistent and periodic basis – not just once.

Using good tools (to their maximum potential, mind you) is easily 50% of the battle. The rest of the equation involves finding someone (internally or externally) to look at your Web site/application with a malicious mindset. Doing this will uncover Web weaknesses that no tool – no matter how good – would ever find.

That’s the real answer to Web site security.