Understanding risk will help us manage it
Bookmark with:
 |
FREE initial consultation |  |
Secure Online Clients Area |
 |
Worldwide service |  |
Choice Of payments [Fixed Fee or Hourly or Daily rate] +44 (0) 208 209 0835/ 07956877605 |
» E commerce » how to secure your web site
If every single computer company in the world including the likes of Microsoft, Cisco, Check Point, Oracle, SCO and SAP can’t produce 100% secure software, then the chances of your website being (and remaining for all time) completely impenetrable are precisely zero.
Both software vendors and customers must get real about the nature of computer software, and the risks of publishing their wares on the internet. Systems can be made secure and kept that way only by investing time, effort and money. There are no quick-fixes, nor magic pieces of technology that will keep a naively built website from spewing out customers’ identities, credit card numbers, or your client database in front of your biggest competitor.
2. Start with a risk assessment
Information Security is about risk management, and risk management starts with a risk assessment. You should be asking questions like:
What is the nature of the information the website is handling, processing or storing?
Where and how is information held, how long is it held for?
How many users will interact with the site.
Are the users all IT experts, who may be tempted to “explore�, or are they IT novices who might fall for phishing or spoofing attacks?
How do you authenticate the users (eg username, password, specific numbers from a memorable date, etc)
Are there any special controls in place to prevent disclosure?
What third party testing has been carried out?
What guarantees, insurances and contracts are in place to back up the promises of your suppliers?
What would happen if your information fell into the wrong hands?
How are your customers / bankers / suppliers likely to react?
3. Get things down on paper
Before you commence any development project with a supplier, you should endeavour to write into the contract as much detail as possible relating to the expected security outcomes. Specifics are crucial, because where contracts are “silent�, it remains up to a court of law to interpret what was meant by meaningless phrases such as “the system must be secure�.
Things that you should consider might include:
The types of incidents that would be considered serious (e.g. disclosure of clients’ personal details, corruption of orders, denial of service, etc.).
Any specific vulnerabilities that the system should guard against - for example those identified in the OWASP top ten (see point 4).
Who will actually be writing the software (ie that it’s not being outsourced to subcontractors working for 3p an hour in the Far East) and minimum levels of skills, knowledge, experience and training you expect those working on / running your project to possess.
Whether you expect the code under development to be made available for peer review or an independent code review
Whether penetration testing is to be carried out, and if so who is liable for failures and flaws discovered in penetration testing, and who pays for the testing and any re-test(s)
Who is liable for failures and flaws discovered in the future
Any limitations in liability of the vendor
Specific requirements for insurances, professional indemnities etc, and whether they cover the activities in which your suppliers are to be engaged.
4. Build a secure application
What is clearly common sense is rarely common practice. The art of building a secure application starts from before the first line of code is ever written. As many companies have discovered to their cost, security cannot simply be bolted on, it must be designed in from day one.
how to secure your web site
1. “Get Real� about securityIf every single computer company in the world including the likes of Microsoft, Cisco, Check Point, Oracle, SCO and SAP can’t produce 100% secure software, then the chances of your website being (and remaining for all time) completely impenetrable are precisely zero.
Both software vendors and customers must get real about the nature of computer software, and the risks of publishing their wares on the internet. Systems can be made secure and kept that way only by investing time, effort and money. There are no quick-fixes, nor magic pieces of technology that will keep a naively built website from spewing out customers’ identities, credit card numbers, or your client database in front of your biggest competitor.
2. Start with a risk assessment
Information Security is about risk management, and risk management starts with a risk assessment. You should be asking questions like:
What is the nature of the information the website is handling, processing or storing?
Where and how is information held, how long is it held for?
How many users will interact with the site.
Are the users all IT experts, who may be tempted to “explore�, or are they IT novices who might fall for phishing or spoofing attacks?
How do you authenticate the users (eg username, password, specific numbers from a memorable date, etc)
Are there any special controls in place to prevent disclosure?
What third party testing has been carried out?
What guarantees, insurances and contracts are in place to back up the promises of your suppliers?
What would happen if your information fell into the wrong hands?
How are your customers / bankers / suppliers likely to react?
3. Get things down on paper
Before you commence any development project with a supplier, you should endeavour to write into the contract as much detail as possible relating to the expected security outcomes. Specifics are crucial, because where contracts are “silent�, it remains up to a court of law to interpret what was meant by meaningless phrases such as “the system must be secure�.
Things that you should consider might include:
The types of incidents that would be considered serious (e.g. disclosure of clients’ personal details, corruption of orders, denial of service, etc.).
Any specific vulnerabilities that the system should guard against - for example those identified in the OWASP top ten (see point 4).
Who will actually be writing the software (ie that it’s not being outsourced to subcontractors working for 3p an hour in the Far East) and minimum levels of skills, knowledge, experience and training you expect those working on / running your project to possess.
Whether you expect the code under development to be made available for peer review or an independent code review
Whether penetration testing is to be carried out, and if so who is liable for failures and flaws discovered in penetration testing, and who pays for the testing and any re-test(s)
Who is liable for failures and flaws discovered in the future
Any limitations in liability of the vendor
Specific requirements for insurances, professional indemnities etc, and whether they cover the activities in which your suppliers are to be engaged.
4. Build a secure application
What is clearly common sense is rarely common practice. The art of building a secure application starts from before the first line of code is ever written. As many companies have discovered to their cost, security cannot simply be bolted on, it must be designed in from day one.
Practical advice for business
