Five misconceptions about Web site Security _ Web surfing

At present, hacker attacks have become a very serious network problem. Many hackers can even break through SSL encryption and various firewalls, hacked into the interior of the Web site, stealing information. Hackers can only rely on the browser and a few tricks, that is, the Web site to get customer credit card information and other confidential information.

With the firewall and patch management has gradually become standardized, all types of network facilities should be more complete than ever before. Unfortunately, while, outsmart, hackers have started to hit Web sites directly at the application level. To enhance the security of your Web site, you first need to clarify five misconceptions.

　　"Web site uses SSL encryption, so it's safe"

SSL encryption alone does not secure the site. When SSL encryption is enabled on a Web site, the information that the site sends and receives is encrypted, but SSL does not guarantee the security of the information stored in the site. Many sites use 128-bit SSL encryption, but are still hacked. In addition, SSL does not protect the privacy of site visitors. These privacy information is directly in the Web server, which is not protected by SSL.

　　Second, "The Web site uses a firewall, so it is safe"

Firewalls have access filtering mechanisms, but they still cannot handle many malicious acts. Many online stores, auction sites and BBS have firewalls installed, but still vulnerable. Firewalls can exclude malicious access by setting up a "guest list", allowing only well-meaning visitors to come in. However, how to identify good access and malicious access is a problem. Once access is allowed, subsequent security issues are not firewalls that can handle it.

　　Third, "The vulnerability scanning Tool did not find any problems, so it is safe"

Since the beginning of the 1990, the vulnerability scanning Tool has been widely used to look for some obvious network security vulnerabilities. However, this tool does not detect the Web site application and cannot find vulnerabilities in the program.

The vulnerability scanning Tool generates special access requests that are sent to a Web site for analysis after obtaining response information from the site. The tool contrasts the response information with a number of vulnerabilities and reports a security breach whenever a suspect is found. Currently, the new version of the vulnerability scanning tool can generally find more than 90% of the common security problems of the site, but this tool on the Web site application also have a lot of powerless place.

　　Four, "The Web application Security problem is caused by the programmer"

Programmers do cause problems, but some problems are beyond the control of programmers.

For example, the source code for an application may be originally obtained elsewhere, which is beyond the control of the company's in-house program developers. Alternatively, the company may ask some offshore developers to do some custom development and integrate with the original program, which may also cause problems. Or, some programmers will get some free code to make changes, which also hides security issues. To give an extreme example, there may be two programmers working together to develop a program project, the code they develop separately is fine, security is good, but integration can be a security breach.

Realistically, software is always flawed, and it happens every day. Security vulnerabilities are just one of many vulnerabilities. Strengthening the training of employees can indeed improve the quality of the code to some extent. But be aware that anyone can make a mistake and the loophole is unavoidable. Some vulnerabilities may take many years before they are discovered.

　　"We have a security assessment of the Web site every year, so it's safe."

Generally speaking, the code of the website application changes very quickly. An annual security assessment of a Web site is necessary, but the assessment may vary significantly from the current situation. Any changes to the Web application will present a security risk.

The website likes to choose the holiday to upgrade the application, Christmas is a typical peak season. Web sites tend to add a lot of new functionality, but ignore security considerations. If the site does not add new features, this will have an impact on business performance. The website should arrange professional security personnel at all stages of the program development.