As firewall and patch management have gradually become standardized, various network facilities should be more complete than before. But unfortunately, the path is one foot higher and the devil is one foot higher. Hackers have begun to directly attack Web sites at the application level. To enhance the security of web sites, we must first clarify five misunderstandings.
1. "Web websites use SSL encryption, so they are very secure."
SSL encryption alone cannot guarantee the security of the website. After the website enables SSL encryption, it means that the information sent and received by the website has been encrypted, but SSL cannot guarantee the security of the information stored in the website. Many websites use 128-bit SSL encryption, but they are still hacked by hackers. In addition, SSL cannot protect the privacy information of website visitors. These privacy information is directly stored in the website server, which is something that SSL cannot protect.
2. "Web websites use firewalls, so they are very safe."
The firewall has access filtering mechanism, but it still cannot cope with many malicious behaviors. Many online stores, auction sites and BBS have firewalls installed, but they are still fragile. By setting up a "visitor list", the firewall can exclude malicious access and only allow good-willed visitors to come in. However, how to identify good intentional access and malicious access is a problem. Once access is allowed, subsequent security issues will not be able to be handled by the firewall.
3. "The vulnerability scanning tool did not find any problems, so it is very safe."
Vulnerability scanning tools have been widely used since the early 1990s to find some obvious cybersecurity vulnerabilities. However, this tool cannot detect website applications and cannot find vulnerabilities in the program.
The vulnerability scanning tool generates some special access requests and sends them to the Web site, and analyzes them after obtaining the response information of the website. The tool compares the response information with some vulnerabilities, and once a suspicious thing is found, a security vulnerability will be reported. At present, the new version of the vulnerability scanning tool can generally find more than 90% of common security problems on websites, but this tool also has many powerless things for website applications.
4. "The security problems of website applications are caused by programmers"
Programmers do cause some problems, but some problems are beyond the control of programmers.
For example, the source code of the application may initially be obtained from other places, which is beyond the control of internal program developers in the company. Alternatively, the company may ask some offshore developers to do some customized development and integrate them with the original program, which may also cause problems. Or, some programmers will use some free code to modify it, which also hides security issues. To give another extreme example, there may be two programmers working together to develop a program project. The code they develop separately has no problems and is very secure, but if they integrate it together, security vulnerabilities may occur.
To be realistic, software always has vulnerabilities, and this kind of thing happens every day. Security vulnerabilities are just one of many vulnerabilities. Strengthening employee training can indeed improve the quality of code to a certain extent. But it should be noted that anyone will make mistakes and loopholes are inevitable. Some loopholes may take many years to discover.
5. "We conduct security assessments on web sites every year, so it's very safe."
Generally speaking, the code of the website application changes very quickly. An annual security assessment of a web site is very necessary, but the situation at the time of assessment may be very different from the current situation. Any changes to the website application will cause hidden dangers of security issues.
The website likes to upgrade the application during holidays, and Christmas is a typical peak season. Websites tend to add many new features, but ignore security considerations. If the website does not add new features, this will have an impact on operating performance. The website should arrange professional security personnel at all stages of program development.