Comments …"/>
Rietta
Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Web Application Security & Performance

Comments

By Frank S. Rietta, M.S. Information Security

As a business owner or manager, you need to be aware of the main legal liability and technical challenges that face any critical website or application. Your business will be better positioned to succeed if you understand how to answer these five key questions:

  1. Is your business making one or more of the top five web application mistakes that generate business risk?
  2. How can performance and security assessments help increase your ROI?
  3. Are you restricting your collection of personal information to reduce your civil liability risk under strict industry contracts and State data protection law?
  4. Is your web hosting provider providing an environment suitable for your business requirements and risk management profile?
  5. What are some of the effective means to organize your business and information technology processes to better protect your organization and your customers?

Read on to explore some of these topics in more depth.

Avoid Common Web Infrastructure Mistakes

With the current pace of technology, it is likely that your organization relies on web-based applications for critical business functions. Your application does not need to be a Google Mail or Amazon to effect people’s lives. Even small and medium-sized companies depend on their websites and web applications for everyday business operations.

Many web developers will point clients to Jakob Nielsen’s Top Ten Mistakes in Web Design. These concerns are a very important consideration for any business website. However, not all common mistakes are related to the usability and design. As you are working on getting your usability right, you also need to work on your infrastructure. Our development team members have each been working with PHP and MySQL websites and applications for a decade. In their experiences, the top five web application infrastructure problems encountered today are:

Top Five Web Application Mistakes

  1. Private information is collected for which there is insufficient business purpose
  2. SQL databases that are very slow because of inefficient design mistakes
  3. SQL databases that are likely to be compromised by hackers because of insufficient security
  4. PHP code that is vulnerable to SQL injection and cross-site scripting because it fails to treat all user-supplied input as potentially malicious
  5. Hosting arrangements that do not satisfy business needs

Does your critical business application fail at any of the above mistakes? Please keep reading to learn more about these issues so that you can begin your own self-assessment. Our team is also available to help.

Understanding these common areas for mistakes will help your organization make better informed decisions to reduce your business risks.

Assess Your Security & Performance

The best businesses make measured investments in their information technology infrastructure and web presence. The technology is part of the organization’s critical business infrastructure and the return on the investment is a paramount importance to the bottom line. However, security and performance issues are two big sources of reduced ROI for technology investments.

Security incidents can lead to expensive incident response, remediation, and can bring attorney fees and liability damages to the mix. Performance issues can quickly annoy customers, driving them to your competitors. Therefore, smart business owners and managers continually monitor the status of their core infrastructure and assess the alignment with their business objectives.

Performance Assessments

Is your current PHP and MySQL code optimized such that your web presence can grow with your business? Many people pay good money to have a programmer build an application only to find that it will not scale as their business grows. Inefficient PHP code and SQL can bring even the fastest servers to a crawl once traffic increases beyond a moderate level.

Most inefficiency comes about in large applications through the inefficient use of the database server. A smart business owner or manager will ask his developers if they took care to effectively use the database server by:

  • Normalizing the schema such that data is not excessively duplicated
  • Using the index capabilities of the database server to efficiently reference commonly queried fields
  • Avoiding the use of functions in queries such that the server is prevented from using an index

Even if you do not understand what these items mean, ask your developers to explain to you how the system works. While you might not be an expert in the technical matters, it is very important to show the people who work with you that these matters are considered important by the business.

Security Assessments

Will your website survive its first encounter with an aggressive security vulnerability scanner? Many, many web sites are susceptible to SQL injection and cross-site scripting attacks despite years of academic papers, industry white papers, and general awareness of the core technology problems. Did the developers of your application treat all, that is every single byte, of user-supplied input as potentially hostile? Did they use the tools that came for free with the programming environment to clean the input and mitigate these risks?

Just because your application has these vulnerabilities does not mean that your developers were bad people or generally incompetent. However, it does mean that they failed to take heed of well published practices for building secure software.

A smart business owner or manager will ask if each contractor or developer remembered to A.R.M. himself against SQL injection or cross-site scripting attacks. That is for every POST or GET input, the developer explicitly coded the application to:

  • Accept it as valid and safe
  • Reject it as non-compliant and not safe
  • Modify it so that it is safe

At no time is it ever acceptable for an application to simply load a user-supplied input into a variable and simply assume that it is okay. Doing so always opens the door to major security vulnerabilities. Just don’t do it!

Minimize Personal Information Collection to Reduce Civil Liability

Personal information is now protected by strict State data protection laws and PCI-DSS merchant security standards. The days that an organization could hire the cheapest developer to throw together a webpage and database without facing potentially devastating liability are long gone. If you collect or store any personally identifiable information then you need to define your business need for the information and the risks associated with maintaining it. A data breach could very easily cost millions of dollars in civil liabilities to the people and governments, enough to put a small business out of business for good!

There are good technical controls to protect information from a data breach, but managing these controls can become quite costly. Therefore, as a business owner or manager you need to carefully balance the business need for information with the costs of protecting it and the costs of it being leaked. By far the least expensive control is to not collect the personal information in the first place!

However, for those times that you absolutely need to keep the information, keep in mind these controls:

  • Dedicated servers with strong administrative passwords and few users
  • Database access controls with fine grained permissions (it’s a feature of every DBMS so use it)
  • Strong cryptographically secure hashing for passwords (SHA1 has been a part of PHP and MySQL for years, use it!)
  • Public key encryption for especially sensitive data

Of these four technical measures, properly managing public key encryption is the most costly. However, if you find yourself with a compelling business need to keep really sensitive personal information then making sure the information flows are one way with strong encryption and tight database access controls are the way to do it.

If you are running an e-commerce operation then seriously consider outsourcing your credit and debit card processing to PayPal, Google Checkout, or a similar provider. The costs associated becoming a PCI-DSS compliant merchant far exceed the cost of using these services for most small and medium-sized businesses.

Consider Carefully your Hosting Provider

These are some basic questions that every business owner and manager should ask about his critical website and web application infrastructure.

  • Is your critical business infrastructure hosted on a $5/month shared hosting provider?
  • Does that company’s Service Level Agreements protect you if their network goes down?
  • Are you making independent backups of your database since their contract almost certainly says they are not responsible for data loss?
  • Are you running a web shopping cart on such a network in violation to the security terms of your merchant service agreement?

If you are running an e-commerce shopping site that stores and processes credit cards then a shared web hosting environment is completely inappropriate and will result in you being liable under PCI-DSS. If you collect and store personal information that is subject to State data breach notification laws, then keeping your database on a shared web host opens the door to theft by other users on that server.

Therefore, as a business owner or manager, carefully count the costs associated with running your business. Paying $60 a year to host a newsletter or static website is one thing, but such an arrangement may not be ideal for supporting more serious business operations.

Review your Business & Information Processes

Does your organization’s management and business processes foster a culture of security?

About Frank Rietta

Frank Rietta's photo

Frank Rietta is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

Comments