Website security checklist will be a priority in 2018. According to the State of Cybercrime 2017 report, cyber crimes will cost companies $6 trillion annually by 2021 with more than 3.5 million unfulfilled cyber security positions.  The average cost of a data breach is already over $7 million in the US alone making business owners anxious.

data breach cost

While cloud adoption has solved scaling, customizing, and infrastructure maintenance and delivery problems, securing web assets is a major concern for online businesses. Here is your guide to keeping your business, customers, and transactions secure from hacking attempts.

Scan website for weaknesses

Gartner Group estimated that more than 70% of breaches happen at the application layer. Web applications serve numerous clientele and customers. Clearly, hackers have higher motivation in targeting apps to bring down critical business processes. Automated website/application scanning is the most effective way of finding security loopholes that hackers might target. This is the first step towards securing business websites.

AppTrana Basic Scanning (Free Forever): provides biweekly security scans that look for OWASP Top 10 and SANS Top 25 vulnerabilities. You can scan up to 250 pages of a website and receive a detailed report on security issues like XSS, SQL Injection and more.

owasp website securityKeep software updated

It is obvious yet overlooked. Software patches play a crucial role in keeping your site secure from hackers. This applies to everything in your bucket including server operating systems, CMS, and other software used in the company. When security holes are found in a third-party application, hackers target all the websites using that susceptible version of the software.

Many developers defer updates citing delivery deadlines. The massive “WannaCrypt” ransomware attack is one recent example of an attack that crippled computers in at least 150 countries and caused damages worth $4 billion.

Validate user data

Allowing users to send or upload anything to your server is a huge security loophole. From a business point of view, interactive interfaces are efficient, but the risks are high. Even a simple non-sanitized string in the username field or file upload in the image section can bring the servers down.

sqli secure website

You need to treat all user inputs with great suspicion and ensure that only predetermined input formats are accepted. Ensure that your firewall is blocking all kinds of executable files and other user inputs. Also, prohibit physical access to the server completely.

Get periodic penetration testing

Business applications are complex. There are several variable settings across backend/frontend servers and APIs that are exclusive to your business. Automated scanning tools have their limitations, especially if your application is built on varying logic.

- An e-commerce site allows users to add items to their cart, view a summary page, and then pay. What if they could go back to the summary page, maintaining their same valid session and inject a lower cost for an item and complete the payment transaction?
- Can a user hold an item infinitely in their shopping cart and keep others from purchasing it?
- Can a user lock an item in a shopping cart at a discounted price and purchase it several months later?
- What if a user books an item through a loyalty account and gets loyalty points but cancels before the transaction is completed?
Pentest Process
Manual penetration testing or ethical hacking replicates all the attempts that a hacker would. They spend hours looking for weaknesses that would compromise the application’s function and suggest fixes to the developers.

Use HTTPS

Secured HTTP connections prevent hackers from intruding the communication between your website and users. Using Non-HTTPS communications, an attacker can trick the user into giving sensitive information or sending malware/executable code to the server.

ssl for website security

If your business applications handle sensitive data such as payment information, you will have to invest in quality SSL certificates to force cryptographic protocols across all website to browser communications.

Deploy a Web Application Firewall (WAF)

According to the Web Application Security Statistics Report, critical vulnerabilities are fixed in 146 days on average. That’s five months for hackers to try different attack methods. Change that to secure your website.

Fix Critical Vulnerabilities

A Web Application Firewall (WAF) is designed to patch application weaknesses (OWASP Top 10 and SANS 25) virtually while monitoring and filtering traffic. Also known as Layer 7 firewall, it stops attacks exploiting cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection without development/code changes in the application.

DDoS WAF

AppTrana WAF (14-Day Trial): Modern web application firewalls provide managed security in sync with scanning. AppTrana patches vulnerabilities to stop and monitor attacks. It’s an intelligent firewall that learns from frequent attack patterns and accepts custom blocking or logging rules instantly.

Monitor traffic surges

distributed denial-of-service (DDoS) attack uses multiple compromised systems or other network resources to overwhelm an online service, making it unavailable.

Any website can be compromised with a DDoS attack.

Monitoring fake traffic surges and stopping bots before damage is the only way to manage DDoS attacks. Periodic validation of your network and application’s security performance is advisable.

Keeping Site Secure Checklist

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.