Currently, hacker attacks have become a serious network problem. Many hackers can even break through SSL encryption and various firewalls to attack websites and steal information. Hackers can use their browsers and several techniques to obtain customers' credit card information and other confidential information from websites.
As firewall and Patch Management has gradually become more standardized, various network facilities should be more complete than ever before. Unfortunately, hackers have begun to face Web websites at the application layer. Market research firm Gartner analysts pointed out that currently 70% of hackers' attacks occur in applications. To enhance the security of Web websites, we must first clarify five misunderstandings.
1. "The Web site uses SSL encryption, so it is safe"
SSL encryption alone cannot guarantee website security. When SSL encryption is enabled for a website, it indicates that the information sent and received by the website is encrypted, but SSL cannot guarantee the security of the information stored on the website. Many websites use 128-bit SSL encryption, but they are still cracked by hackers. In addition, SSL cannot protect the privacy of website visitors. These private information is directly stored on the website server, which is not protected by SSL.
2. "websites use firewalls, so they are safe"
The firewall has an access filtering mechanism, but it still cannot cope with many malicious behaviors. Many online stores, auction websites, and BBS have installed firewalls, but they are still weak. By setting a "visitor list", the firewall can exclude malicious access and only allow malicious visitors. However, how to identify malicious access and malicious access is a problem. Once access is permitted, subsequent security issues will not be met by the firewall.
Iii. "The vulnerability scan tool has not found any problems, so it is safe"
Since the beginning of the 1990 s, vulnerability scanning tools have been widely used to find some obvious network security vulnerabilities. However, this tool cannot detect website applications and cannot find vulnerabilities in programs.
The vulnerability scan tool generates some special access requests and sends them to the Web site for analysis after obtaining the website response information. The tool compares the response information with some vulnerabilities and reports a security vulnerability once any suspicious vulnerability is found. Currently, new versions of vulnerability scanning tools generally detect more than 90% of common security problems on websites, but such tools also have a lot to do with website applications.
4. "the security problem of website applications is caused by programmers"
Programmers do cause some problems, but some problems are beyond the control of programmers.
For example, the source code of an application may be initially obtained from other places, which is beyond the control of internal program developers. Alternatively, the company may ask some offshore developers for customized development and integration with the original program, which may also cause problems. Alternatively, some programmers may use some free code for modification, which also hides security issues. For another extreme example, two programmers may develop a program project together. The code they develop is normal and secure, but the security vulnerabilities may occur when they are integrated.
In reality, software always has vulnerabilities, which happen every day. Security Vulnerabilities are only one of the many vulnerabilities. Enhancing employee training can indeed improve the code quality to a certain extent. However, it should be noted that anyone will make mistakes and the vulnerability is inevitable. Some vulnerabilities may be discovered after many years.
5. "We conduct annual security assessment on Web websites, so they are safe"
Generally, the code of website applications changes rapidly. It is necessary to perform an annual security evaluation on the Web site, but the evaluation may be very different from the current situation. Any changes to the website application may cause security problems.
Websites like to upgrade their applications on holidays. Christmas is a typical peak season. Websites often add many new features, but ignore security considerations. If the website does not add new features, this will have an impact on business performance. Professional security personnel should be assigned to the website at all stages of program development.