Is Your Site Being Hacked Without Your Knowledge?
by Yuval Ben-Itzhak - Friday, 10 October 2003.
When Web sites comprised nothing more than a collection of HTML pages and fancy clipart, a Web server on the receiving end of a hacker's attention merely deprived customers from looking at your electronic glossy brochures for a couple of hours. But as sites have become online versions of the traditional call centre, taking enquiries and processing orders and delivering quotes, a crash or hack which puts the site out of business for just a few minutes will cost you real money and impact your revenue. And lots of it. The hardest part is knowing that you've been attacked, and thus realising that you need to take action. Checking your Web pages, transaction database and security logs regularly, can not even ensure your continuing immunity.

Consider the current darling of the Web development scene, namely Content Management Systems. A CMS product allows anyone in your organisation to update your Web site using some simple HTML forms and a password, and they can do it from anywhere via the Web. No need to have access to FTP as there are no files to upload. Need to add a story to the front of your site? Just enter a password and type away. But what if a hacker were to do this? A malicious, untrue news release posted on your site for just an hour, and which found its way onto the internet rumour mill, could halve a company's share price. And the harder you work to publicise your denial of the story, the more people get alerted to the fact that you've been hacked. So the hacker wins twice.

As a Web developer, keeping on top of hacker techniques is critical. And as you might expect, the Web itself is the key to doing so. One excellent site is, home of the Open Web Application Security Project. This freely accessible site contains a wealth of information to help developers stay on top of the most important techniques for ensuring hacker-proof e-commerce sites. OWASP is a community project, staffed by developers from across the world who have agreed to share their experience and expertise in order to identify common threats and advise on how to prevent them. There are separate areas dealing with Javascript, PHP, SQL, ASP, and all the common development languages.

Although the OWASP lists are comprehensive, ensuring that your code never falls foul of any weakness on the lists is a difficult and time-consuming task. One option is to use automated tools such as Web application scanners to assist the process. Web application scanners can be use during development, QA or even in production. This saves time and money, and allows you to scan continually rather than just every day or once a week.

It's also essential to revise your security policy according to what the scan discovers. Exchanging vulnerabilities and positive attributes between the scanner and an application firewall can make sure that your Web application is secure.

However you manage your security, there's a handful of key points that you can employ to ensure that your Web application isn't leaking money:

1. Use a Web application scanner to discover vulnerabilities and develop a security policy for each application based on its unique positive attributes.

2. When planning the security of a server, use a positive security model rather than a negative one. By default, turn off all access and then enable facilities on an as-needed basis. Although starting with everything turned on, and then looking for paths that can be closed off, is always more convenient, it's also a huge security risk.

3. Install a Web application firewall to ensure that all the security policies are enforced, just like you use a Network firewall to secure your network.

4. Be prepared to act on what you discover during your scans, by revising your business methods or your security policy.

5. Consider using an automated tool to check your server code against the OWASP Top Ten Web Application Vulnerabilities list.

6. Install all server OS security patches.

Yuval Ben-Itzhak is Co-Founder & CTO of KaVaDo Inc. -


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th