T: +44 (0)1784 410380
E: info@designinc.co.uk

Secure website development – How secure is my website?

5th August 2011

Back

Internet security and secure website development may not be the best dinner party conversation starter. But a hacked or broken website resulting in compromised user experience or corrupt data is just not good news. Ever.

We’ve all seen the headlines and the apparent ease with which even UK based hackers & teenagers have been able to access a well known website that you’d consider was constructed and hosted beyond harm.

Secure website development is key to our ongoing service provision as no client wants to have to deal with unscheduled malicious damage, intrusion, breakdowns or unscheduled maintenance. As a result Design Inc are pleased to announce the achievement of 100% uptime over the last year for all our clients’ websites featuring great design and secure code which are hosted on our own secure servers.

As further testament to the robust build of our secure website development programming, Design Inc were selected by UK based MWR Info Security (internet data security specialists) to create and build their 2nd generation website including marketing and information interfaces with secure remote client log-ins and  ‘Labs’ areas. This project required an ‘ahead of current best practice’ to approach and implementation.

Our servers are regularly backed up – and in the unlikely situation of disaster recovery being required your digital asset would be restored quickly.

The following security features are some of the key areas addressed by our programming team as standard within our secure website development software:

 

SQL injection protection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It happens from using poorly designed query language interpreters.

 

Session / Cookie hijacking protection

Session hijacking is the exploitation of a valid computer session – sometimes also called a session key – to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer.

 

Files upload abuse protection

Uploaded files are checked for names that could be used in an attack. Some hackers will attempt to inject pathnames into file names to overwrite or inject their files into the server.

 

URL Encoding abuse protection

URLs are protected against utf8 encoding attacks.

E-mail injection protection

E-mail injection is a security vulnerability that can occur in Internet applications that are used to send e-mail messages. It is the e-mail equivalent of HTTP Header Injection. Like SQL injection attacks, this vulnerability is one of a general class of vulnerabilities that occur when one programming language is embedded within another.

When a form is added to a web page that submits data to a web application, a malicious user may exploit the MIME format to append additional information to the message being sent, such as a new list of recipients or a completely different message body. Because the MIME format uses a carriage return to delimit the information in a message, and only the raw message determines its eventual destination, adding carriage returns to submitted form data could allow a simple guestbook to be used to send thousands of messages at once. A malicious spammer could use this tactic to send large numbers of messages anonymously.

User input validation

Never trust the input given to you by a user. All user inputs are run through a myriad of checks to insure they are not attempting to abuse our software. This includes, but is not limited to:

Checking for out of bounds or oversized inputs. Ensuring each input has a max size that we expect it should be, for example, a telephone number will never be longer than 25 characters.

Stripping out non-ASCII binary characters and ensuring SQL sensitive characters (e.g. ‘) are properly escaped.

Form Keys. Adding a random key to a form will ensure it is harder for an attacker to brute force or automate the attacking of a form.

Type validation. Make sure that the input type is what you expect. For example if you only expect integers, but get a string, something is wrong.

Keeping your server up to date

You can write the most secure website development but if you don’t keep your underlying systems fully updated and security patched, then people can bypass all the effort you put into securing your software and hack the machine running your website.

Limit access to your server

Provide a small footprint to any wannabe attacking. This means limit the services your server runs to just the ones which are required. Also if some services are required by administrators, but not by general users then lock them down with a firewall. E.g. If you require SSH on your server, limit it to your IP addresses in your firewall).

Hide Passwords

Website development software will require a password to access its database. This is normally stored in plan text in your scripts. We store this password in apache’s vhost configuration. The result of this is that if a website gets hacked; only its own database password, not the other passwords of other websites on your server will be compromised.

CMS Publishing

It is possible to run your CMS in house, away from the internet, and have the CMS publish any changes to your website as flat or semi-flat (db less) files. This greatly reduces the surface area for an attacker.

For further information about secure website development please contact Frank Norman on 01784 410380

Design Inc UK is a West London-based agency with a lot of experience in secure website development.

View our website portfolio