Running a Web site can lead to an enormous amount of worry. This is particularly true for security matters, which become your Web hosting company's problem, unless you're hosting your own site. Chances are you're not. And that doesn't mean you shouldn't be concerned about security, or that you can ignore security issues because somebody else is responsible.
Anyone who's familiar with Internet security in general, and Web server security in particular, knows that security is no "set it and forget it" job, but rather, a call for constant vigilance and attention.
In plain English this means that somebody has to be watching out for intrusions, exploits, break-ins, fraudulent transactions and all kinds of other things on an everyday basis.
What should you do about Web security, as an informed Web hosting consumer or as a Web site administrator? Here are some answers to that question:
1. Ask your Web hosting provider about their security measures. If they can't make you comfortable with their answers, you might want to start looking for another home for your Web site. If the company can't give you a reasonable outline for a strong security routine and active security consciousness, the same thing applies.
2. What about the security policy? A security policy is a statement of what gets secured, how, and what kinds of steps and actions the provider takes to deal with security problems. "Huh?" is not a good answer to this all-important question,
3. Get educated about security issues and answers. You can take a class or read a book for very little expense. Right now, I think Hacking Exposed by Stuart McClure, Joel Scambray and George Kurtz, is the best general book on network and computer security available in print. It takes a hands-on, no-nonsense approach to airing the issues and explaining the remedies they require and does a good job of covering these topics from the Windows NT and Linux fronts.
4. Stay in touch with security issues and answers. These tend to focus around specific operating systems (Windows NT or Linux), around specific Web servers (Apache, IIS, WebSite Professional and so forth), and around specific application-programming interfaces, or APIs (CGI, ActiveX, ISAPI, NSAPI and so forth). Make sure you know what your Web site uses, and keep up with the issues. Visit my security resources Web page at http://www.lanw.com/training/interop/securityurls.htm for some great sources of information on this topic. WARNING: This means reading mailing lists and keeping up with key Web sites that follow security matters. Regular effort will be required!
5. Whenever you solicit input from your users -- be it to fill out a survey, complete a transaction, sign up for a mailing list, or whatever, remember that user input provides a way for strangers to interact with your Web site and its precious data. Make sure you consider all the possible security angles involved, and avoid loose or insecure coding practices that can open up back doors for the knowledgeable and unscrupulous. If you read Hacking Exposed, or check out the various Bug Tracks or security mailing lists, you'll know exactly what I mean here. When you open the door for user input, you have to be ready for anything -- and I mean ANYTHING -- to come through that door. Although I don't want to belittle the impact that weak security can have on an online business, I also want to stress that most Web hosting providers understand this as well as I do, and take reasonable precautions to avoid potential sources of trouble and strife. But if you don't keep an eye on this ball, it may come out of nowhere and bite you somewhere unpleasant. You've been warned!
Be careful out there.About the author
Ed Tittel is a principal author at LANWrights, Inc, a wholly-owned subsidiary of LeapIt.com. LANwrights is a training and consulting company that covers the Internet, networking and Web topics, and various IT certifications (Microsoft, Novell, Sun/Java, Prosoft/CIW).
Related book Hacking Exposed, Third Edition
Authors: Joel Scambray, Stuart McClure and George Kurtz
In today's round-the-clock, hyper-connected, all-digital economy, computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions, Third Edition brings even more in-depth insight into how hackers infiltrate e-business and how they can be stopped. Security insiders Stuart McClure, Joel Scambray and George Kurtz present more than 220 all-new pages of technical detail and case studies in an easy-to-follow style. The world of Internet security moves even faster than the digital economy, and all of the brand-new tools and techniques that have surfaced since the publication of the best-selling first edition are covered here. Use the real-world countermeasures in this one-of-a-kind volume to plug the holes in your network today -- before they end up in the headlines tomorrow.
This was first published in August 2000