Website Security – Part 3 – Securing Applications
Many websites make use of one or more applications. Any code written to provide some particular set of functions can be considered an application. Some applications are custom designed, some are open source (free to the public) and some are commercial (cost money). We will discuss some of the security implications associated with each.
Many websites make use of custom designed applications to provide some function that may be unique to that website. Even the simplest application can present an opportunity for hackers if proper security measures aren’t taken. Database access and system log in functions can be particularly vulnerable. Hackers have automated tools that can try many combinations of username and passwords looking for “weak” credentials.A good log in system will insist on a minimum complexity for passwords that includes letters, numbers and non-alphanumeric characters.
Databases are vulnerable to different types of attacks including “SQL Injection” attacks. When a hacker has access to a legitimate HTML form that accesses a database (a log in function or contact form for example), they can enter data that if not properly guarded against, can provide the hacker with full access to the database.
This is fairly easy to guard against – it’s a matter of not allowing certain characters in a database query – if your developer is aware of the risk. Generally speaking, the security of a custom application is only as good as the developer’s knowledge of security issues. If you have security concerns with your site, you should probably hire and experienced coder for your application development.
Open Source Applications & Commercial Applications
One of the great things on the internet is open source applications. “Open Source” means that anyone can grab the code for an application and customize however they see fit – for free. Open Source software is usually developed by a community of authors and includes varying levels of help and support.
These applications can be huge time savers and what is better than free? Open Source applications include Drupal CMS, WordPress (blogging application), Zen Cart (Shopping cart) and more. The downside to these Open Source apps is that hackers know that they are used on many websites. If they find a vulnerability in one of these applications, they could gain access to any website that uses it. With the help of netbots (software that automatically surfs the web), they can surf the web looking for the app and exploit the vulnerability.
Most Open Source applications are quite secure, but there are no guarantees. The only defense is to follow proper installation procedures and to keep up with application updates. Most applications are updated on a regular basis, often for security reasons. Also, if your developer makes any sort of modification to the app, the same concerns would apply as that for Custom Applications.
Commercial Applications share the same concern as Open Source except that your developer typically can’t modify the application. Again, stay up to date with your application versions. More often than not, the update will contain some security patch.
Website Applications are what bring the web to life and are used on many sites. As a website owner, it is important to understand that there are security issues associated with any application and to discuss these with your developer.