What is the most significant security risk?
SQL (Structured Query Language) Injection is one of the biggest security issues: it is both extremely dangerous and fairly widespread. In our security workshop, we show how SQL Injection is used to retrieve admin passwords, log into the admin area without even needing a password and update all of the news items on the web site in a single hit.
After SQL Injection, probably the highest risk is non-secure passwords. Amazingly, many live systems still have a test user in the database with both username and password set to “test”. The passwords “password” or “password1” are also extremely common. In 2008, MP Harriet Harman announced on her blog that she was defecting to the Conservative Party. Whoever wrote the entry had little difficulty accessing the account. Her username was “harriet” and her password was “harman”.
The main other common and very serious risk is XSS (Cross Site Scripting).
How can I check my web site is secure?
It usually takes years of experience to check everything necessary, however we reveal some useful tricks and tools in our web security workshop, where you can learn about testing common problems such as XSS and SQL Injection. However, you are much better off having the system checked by a professional.
How widespread are serious web security problems?
If we were the bad guys, we could track down a vulnerable site, break in and retrieve credit card numbers within 20 minutes.
We often get asked to take over maintenance of sites that have been built by third parties. Although we don't keep statistics, we find serious security problems in roughly half of them.
This sounds unbelievable. Why is the state of the industry so poor?
In fairness, the sites we see are not a representative sample. A lot of the systems we've taken over were built before security was such a priority. In addition, people will generally often change suppliers precisely because of the poor quality development from their existing one. But we'd still be surprised if less than 25% of systems did not have at least one serious problem.
What should I do if I find a serious security problem in my web system?
If you've got a SQL Injection problem on a site that contains customer data or credit card information, you should take the site down immediately while it is fixed, make sure it's fully security tested and only then bring it back online.
If the consequences of a breach aren't as serious or the vulnerability is fairly low risk, taking the site offline might not be necessary.
One mistake is to go back to the original developers of the site. If a development team has left a serious security hole in a web application, they're not the best people to tell you whether the system is secure. Even with our own exacting security systems, we recommend that our clients with mission-critical applications also have their systems independently security assessed.
Please get in touch to find out more