AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Tuesday, June 02, 2009
Lax Web Site Security: The Site Owner’s Responsibility
SQL Injection vulnerabilities have been around for a long time and web site managers are or should be very familiar with them. A SQL Injection is the insertion of malicious code that can exploit a vulnerability in the database layer of a web application. A thorough explanation of SQL Injections can be found on Wikipedia.
This morning, PC World reported that thousands of websites have been attacked in what appears to be an automated fashion. Sites are being tested for specific vulnerabilities, and if the vulnerabilities are there, they are exploited. Malicious code is inserted and it then infects the end user PCs who are exposed via IE and Firefox vulnerabilities. The article states that it is yet unclear what the hackers will do with these exploitations, but that it is very widespread.
Just as offline customers have to take some responsibility, and for example, not leave their purse unattended in a shopping cart, online users should take reasonable responsibility for their systems. For example they should ensure they are up-to-date-on patches and running A/V software that is current. Still, the prime responsibility for blocking attacks that occur on the site resides with the corporations that run the websites.
The developers need to be careful and responsible in how they prepare their code and how the site will be designed and structured so as not to expose the users. Some things IT can do to prevent attacks:
- Scan for vulnerabilities on a regular basis to make sure that their site is up-to-date and new exploits do not expose their consumers and users to these types of vulnerabilities.
- Deploy application firewalls or Intrusion Prevention Systems configured to filter malicious input. Some organizations are required to have an application firewall, but it is also just good practice.
- Leverage third party sources to obtain an outside and independent review of the website security on a regular basis. At the very least organizations should have separate reporting structure for Audit and Risk from their operational IT organization.
Could we use more end user education on browsing the Internet safely? Of course. But just as a brick and mortar business has the responsibility to provide a safe environment to its customer, so to does the online web presence. Ultimately the site owner must take these basic and inexpensive steps to protect the Internet public that we try so hard to drive to our sites in the first place.
What do you think site owners, is it your responsibility to provide a safe environment for customers on the Web, or does the visitor surf at his or her own peril?
