Almost every company has some type of Web presence – ranging from simple brochure sites to sophisticated transaction-oriented applications – and therefore has some type of conduit from the general Internet to company resources and or company data.
The fact is that identity theft and access to confidential or private information through Web applications is one of the fastest-growing exploits on the Internet. The reason is that most Web applications have not been developed with a keen eye toward the hostile Internet environment and are not using appropriately secure methods of authentication and authorization.
Everybody allows a variety of Web protocols and programs directly through their firewalls and routers. Because you cannot stop this traffic from coming through your barrier systems, you have to do an outstanding job of creating an environment that detects malicious attempts that you cannot prevent and prevents as many different types of exploits as possible.
To do this, several areas need to be addressed, each in its own way!
- The host that the Web services run on.
- The supporting Web server infrastructure.
- The Web application itself.
It is important to understand that these components are independent of each other and that effective Web security depends on getting each of them right. Failure of one part could may mean failure of the system as a whole.
For example, a company may have done a good job deploying a minimally configured and well-hardened host and have a well-configured Web server, but if it has a Web application designed using poor assumptions about authentication, authorization or session management, the system as a whole is vulnerable.
To achieve a robust Web presence, you need to look at each of these three areas and perform the testing and remediation measures each requires. Either that, or let some determined intruder or hacker do it for you!