Are you aware of Web Security?

Posted on by

Hi all,
Today I am going to write something about the sector of IT Security. In the past two weeks I have been focusing on web-security a bit more than before, especially I have been looking at OpenSource CMSs and their potential vulnerabilities.

First of all I would like to mention that most Content Management Systems by now are relatively secure. However, this has not always been the case and often a vulnerability does not only relate to the web application which permits the use, but also to the configuration of a web-server. Basically, the web-application is just the key that opens the door to get to the malicious machine that does the harm.

If you plan to install a Content-Management-System, or if you have installed one already, then you should not go blindly by what the websites of the developers are telling you. Certainly they have done a great job on getting everything programmed, but nobody is perfect and if you spend a lot of time on a certain code, then you might just be blind to see a risk.

If you were to purchase a new household item, you would not only read what the provider tells you about it, but potentially you would read third party reviews as well before you are purchasing, just to make sure that what you get is what you need. If one of the reviews told you that the item you were looking at was not the safest, you certainly would think about it twice.

Could this be done for web-applications as well?
The answer is YES. There are many open source developers, but as many people that are dedicated in testing web applications for security. The results of such tests are then stored in databases that are openly available, in such you can usually enter the name and version of the web-application you intend to use, then you get either no results, or you get a list of vulnerabilities. If you are lucky then there will be hints on how to reproduce the issue on your system and you can see if the trouble exists in your version.

Databases that you can use are:
The Exploit Database: http://www.exploit-db.com/
The Open Source Vulnerability Database: http://osvdb.org/

I have found no issues, am I safe?
Personally, I tend to say that something like safety does not exist in the world-wide-web, it is an emerging technology that rapidly changes and new things are found time by time. Furthermore, different factors have a play in determining security. Even if a web-application is secure, then some other setting on your server could be trouble, sometimes even items out of the reach of your responsibility could get compromised which results in a security risk to your data.

Stay up-to-date!
Often I found web-applications that were vulnerable to very basic attacks which show high impact, mostly those are a few years old, and when checking the websites of the web-application provider, I find newer versions that are not having the security holes any more. So, one thing you should be thinking of is to check for updates, do not run the security check once, do it several times. If there is an update provided, use it, developers do not put efforts and time into improving something just for fun.

If the update is a bug-fix, I tend not to hesitate with the install, however, if the update is a huge new version of the system and you know that your system at that moment is not urgently insecure, you should consider to wait about 10 days with the update. This will give you a chance to wait for the IT security enthusiasts like me to check on the new version and publish possible security holes to the corresponding databases.

Awareness
I think, in general the problem about insecure websites is, that the users and providers of the website only see the visual front-end. Unlike compared to cars, there is no warning sign that lights up when a security system fails, and few that know about the security leak on your website will have the ethics to send you an email with a little warning. In many cases the security hole would just be exploited to get hold of your data, the data of your users and other sensitive items.

Make yourself aware of the fact that there is sensitive technology behind the colorful thing you see on your screen. Think of the fact that you are the one that controls the system, and by this you are responsible to protect your data and the data of your users. And please, if you get some email telling you that there is something insecure, do not wait too long to fix it.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>