Another website attack vector is the local and remote file inclusions. "A website's code can call files either on a local server or on a remote public server. Using injection techniques, attackers can cause the site to display information from a password file or a list of usernames on the web server or to execute code that they want to run," says Sremack. So the code calls that reach out from the website are also a way in for the attacker.
Fixing Website security holes
"Enterprises must adhere to security best practices such as those from the Open Web Application Security Project (OWASP) from the very start of the development process," says Venable. All testing including web application assessments, pen tests, and static analysis should occur pre-production, after any code changes, and on at least an annual basis, according to Venable. Surround websites and web applications with WAFs and IDS and install a 24/7 monitoring team to identify and remediate attacks in real-time.
"During development, engage with the security team to perform regular tests of affected code and functionality," says Sremack. If the enterprise is updating a current website, use the security team to test and ensure added capabilities have not added vulnerabilities. Teams inside development should also run scans and tests to isolate vulnerabilities and fix them.
"Rather than design around security, test using the same tools such as Grabber, W3AF, and Zed Attack Proxy that attackers use to break into your website," says Sremack. Anyone, even with little knowledge of security or security tools can use these applications and gain insights into website vulnerabilities based on the outcomes of the tests, though the enterprise will need to dedicate a staff to this over time.
"Developers should specifically look at how they create and maintain web sessions, specifically checking any inputs that the sessions pass through the website, whether through URLs or input fields," says Sremack, "then monitor any third-party code for vulnerabilities and watch for exploit announcements from the vendor."
The larger the site, the greater its functionality and visibility, and the more it uses third-party software, the more that the process of reducing inherent vulnerabilities in the site will be costly.
The enterprise must monitor and update the site several times a day to keep up with every new attack that cyber mercenaries will level against them using every new vulnerability they find, says Sremack. This process has to include change management, testing, and proper implementation as well as a new specialized security team and a designated testing site.
The more feature rich the site, the more it better be worth to the company in order to make it worth securing. "But there are a lot of open source freeware tools that any programmer can run that will help the developers to stay on top of new vulnerabilities and threats, even for homegrown code," says Sremack. So all is not lost.
Sign up for CIO Asia eNewsletters.