 |
||
Website Risk Management |
||
|
||
|
|
|
|
|
Best Practices for Website Vulnerability Management ::
1. Find and prioritize all website properties by designating their importance to the business and the party responsible for their security. Because you can’t secure what you don’t know you own. Many organizations with more than a handful of websites tend to not know precisely what or where they are, what they do, or who’s responsible for them. The next step is asset valuation, because not all websites are created equal. Some websites host highly sensitive information, others only contain marketing “brochure-ware”. Some websites transact million of dollars each day; others make no money or maybe a little with Google AdSense. The point is security resources (time, money, people) are limited so it’s essential to prioritize and focus on the areas that offer the best risk-reducing ROI. 2. Find and fix website vulnerabilities before the bad guys exploit them by assessing them for weaknesses with each code change. Custom Web application code changes, and changes often. Each new line of code has the potential of introducing new vulnerabilities into a website. And, even if a website doesn’t change, that doesn’t mean the Web application security industry hasn’t. That’s why we believe it’s best to assess websites on a weekly basis to have a continuous level of protection from hackers. 3. Timely remediate vulnerabilities based on severity, threat and score. Just like websites, not all vulnerabilities are created equal either. For example, it might be better to first resolve a medium severity vulnerability on a mission critical website rather than a high severity vulnerability on a website of marginal value to the business. But, without the knowledge of business risk of website valuation and vulnerability severity, effective decision-making is impaired. At WhiteHat, we provide our customers with customizable metrics to rate the business criticality of the web assets. 4. Implement a secure software development process utilizing an organizational standard development framework. No amount of “bolt-on” security can compensate for severely flawed code. Organizations should be integrating security components through each stage of the software development life-cycle. Those who do and utilize enforced coding standards throughout the enterprise see a significant improvement over time when it comes to the security of their website(s). 5. Utilize a defense-in-depth website vulnerability management strategy. Defense-in-depth is where multiple layers of security are protecting the crown jewels. The idea is should any layer fail, which inevitably happens, you’re still protected. In network security there are firewalls, vulnerability assessment, IDS/IPS, patch and configuration management, training, encryption, anti-virus, etc., each mitigating some risk. As good as they are, we know these traditional solutions are not perfect and don’t help much in website security. Security inside the SDLC does eliminate flawed code, but not all. Vulnerability assessments identify vulnerabilities, and miss some. WAFs and IDSs spot and block attacks; some will pass through. We can train ourselves to be experts in some things, but not everything. Patching and configuration protects from the known, not the unknown. Encryption protects data from prying eyes, not all the time. Maximize the strength of the available solutions and mitigate they’re weaknesses to protect the organizational assets.
|
No company can be expected to write flawless code, or have staff available around-the-clock to address all its Web application vulnerability issues. Following these best practices enables organizations to conduct online business with confidence. With 9 out of 10 websites vulnerable to attack, the first step toward stemming the onslaught of attacks is with a thorough understanding of the nature of the problem. To make informed security decisions, enterprises require information about the vulnerabilities that exist, their impact, and how to prevent them from occurring.
|
|
||
|
||
|
||
|
||
