Whether you have your own personal web site or you're a developer guru, web security is an important issue that can't be overlooked.
Issues about security and availability range from those that are out of your control to simple precautionary measures that can be designed into your site.
According to the annual x-force report published by ISS critical security holes jumped 28 per cent in 2007 and network security analysts forecast that the web and other Internet services are increasingly the target of hackers, spammers, scammers and criminals.
In this article I'll delve into some of the issues concerning web security including: hosting, DoS attacks, webjacking, forum abuse, database security and online transactions.

Some of the primary security issues are concerned with the actual hosting of your site. Assuming you don't work for a large organisation with its own cluster of web servers then the responsibility of the physical security and systems configuration will be with your hosting company. This means that servers, firewalls, operating systems, backup facilities and software updates will be out of your control.
As vulnerabilities are discovered you'll want the servers to be updated with the required fixes. Most hackers are opportunists and will exploit the more insecure systems unless they are after a specific target. Your choice of hosting company is therefore very important. I'm always asking people about the hosting companies they use and I rarely find anyone who would wholeheartedly recommend any in particular.

What you should be looking for in a host is an interesting topic for another day, however some important questions you need to ask are: What servers do they have, and how many of each type? How many web sites do they put on each server? How much traffic can each server handle? How often do they perform back-ups? Do you get your own IP address?

In general no two sites are the same but unless you have a very popular site then shared hosting is common practice with multiple customer sites hosted on one machine. This can raise security issues. What other sites are on "your" server? Are they from a bad neighbourhood, will they attract unwanted attention to your hosting company? Are they secure?

Let's look at the issue of attracting attention. The DoS (denial of service) attack has traditionally been one of the simplest forms of disruption to a web site. This is because it doesn't require administrative access to the web server but will still produce the same result as shutting the server down. Basically DoS attacks flood the web server with requests so that legitimate traffic can't get through.
Statistically speaking, the more web sites that are hosted on one server then the higher your chance of a DoS attack affecting your site. Usually DoS attacks are targeted at high-profile organisations, banks, political groups etc. but because it's so easy to launch such an attack they have become very common on the Internet.

The location of your hosting company is another consideration. Countries have different privacy laws and definitions of what they consider to be illegal content. Remember, your hosting company has access to all your data. Are they collecting information from your database to re-sell to marketing firms? Have you inadvertently picked a cheap overseas host that is also the home to an illegal download site or a porn industry for those with foreign tastes?

Webjacking is another security concern and one that doesn't just happen to the big players. James Hein, a popular IT journalist recently got his web site hijacked and redirected to a competitors site. Read about his experience here.

There are a number of ways this can happen from fraudulently changing domain name registration details to web server hacks that redirect or completely change your data. For those of us who don't have our own servers we have to rely on the hosting service to secure their systems. As James Hein reports, "you should check your web site frequently to make sure it's still yours".

So far I've just looked at issues that affect your hosting company, but what about security that you do have some control over. Something that happened to me recently on a site I look after was forum abuse. I'm not talking about bad language and name calling - in this incident someone had decided that they would post unrelated spam with links to their sites. Not just once mind, but 297 posts with four or five links in each. They had built a link farm out of my site! Obviously this was a cheap SEO trick to get google page rank, but it also obliterated any meaningful posts on the forum with spam. I had to tighten up the forum controls, remove the ability to put links into posts and monitor the sign-up activity for a few days. The lesson here is, if your going to have a forum your need to monitor it. Just like Mr Hein said, check your web site frequently and make sure it's still yours.

As soon as you give users interactivity you are opening up a potential weak spot. Does your fancy code uncover the secrets of your database? Are there usernames and passwords hidden in plain sight in your JavaScript? How does your web site interact with the stored data?
SQL injection is a technique that uses client-supplied data in SQL queries to exploit web applications. This is done by sending harmful characters as part of a modified SQL query from the client computer. This can be prevented by good design. Here is a link to a step by step guide to securing MySQL.
The main idea (once the server and installation is secure) is to only allow PHP scripts to use accounts that have limited access to tables they need to use, not the entire MySQL account.
A recent report showed that there are still an astonishing number of production systems connected to the Internet that are vulnerable to these types of SQL injection attack.

The last topic I'm going to touch on is online transactions. Whether you are using out-of-the-box stores such as OS commerce or you are creating your own web applications the same principles apply. There are two basic types of security. The first is the security of data sent over the Internet and the second is the security of the stored information on the servers.
SSL (secure socket layer) encryption is the standard to protect transaction details as they are passed between the customers web browser and your server. You will need to buy an SSL certificate from a registered Certificate issuer so that you can include SSL as part of your site. But remember, SSL does not protect your server from attacks. For that you will need to deploy your web application in the most secure way possible. You will find that most good applications contain a security check list, or if you are creating your own applications you should follow standard security practices. After you have configured your server applications then it's back to your hosting company, the ball is in their court. Anti-virus, firewall, email-scanning, Intrusion Detection Systems, Automated software updates, RAID backups - let's hope they have them all!

Web Security by tobyonline