Recent and continuous website security breaches on large organizations, federal government agencies, banks and thousands of companies world-wide, has once again verified the importance of website and web application security to prevent hackers from gaining access to sensitive data while keeping corporate websites as safe as possible. Though many encounter a lot of problems when it comes to web application security; it is a pretty heavy filed to dig into.
There are so many facets that it is difficult to know from where to begin. Below, we have assembled a brief 7-point list that should give you a good place to begin.
1. Avoid Shared Hosting
Shared hosting and web application security are opposites. Shared hosting solutions are incredibly cheap, if not free, so they find themselves quite common among small businesses that do not know of the potential dangers of using shared hosting. For example a new start-up company builds a new website to advertise their new innovative software but due to limited budget they are forced to use shared hosting. They are not aware that their website is being hosted, quite possibly insecurely, alongside dozens, if not hundreds or thousands of other websites.
If the shared hosting provider allows dynamic content via any form of scripting, and any single one of those websites hosted on the shared provider is insecure, it is possible that the entire web server and all websites on it could be compromised. It does not matter if the dynamic content is as simple as server-side includes or as complex as a PHP website with a MySQL database backend. If it allows an attacker to gain unauthorized access, especially to the file system, defacing the website and obtaining access to sensitive data is only a matter of time.
If your website is anything more than simple static pages, you may want to look into options such as VPS hosting, or even a dedicated server if your website has a considerably large amount of traffic. This may sound like a huge leap, but these options are very inexpensive anymore, and they afford you the ability to custom tailor everything to your needs. Many even come with management systems, such as cPanel.
2. Inspect Your Code
Speaking of dynamic content, mostly every website these days utilizes some form of Content Management System (CMS). Be it WordPress with a specialized theme, Joomla! or Drupal implementation with customizations, a specific downloadable and installable application such as a web forum software phpBB or vBulletin, or even a custom coded application using a modern and pluggable Model View Controller (MVC) type framework like Ruby on Rails or Django. This is almost the exclusive failing point for nearly all web-based hacks. Less than 5% of successful web attacks are against the actual services behind the web application (such as Apache or MySQL).
Almost every time a website is compromised, it is due to insecurities in the code running the web application itself. SQL injection vulnerabilities are the most common kind of attacks deployed against a website, and even though they have been around for over 14 years things seem aren't getting any better. This is not a fault of MySQL, PostgreSQL or any other database engine, but a failure to sanitize user input before it makes its way into a SQL query as explained in this short history lesson of SQL Injection.
There is unfortunately, however, not always an easy way to secure the code. Depending on what your web application is, there are various ways to secure it. Pre-built applications such as WordPress or vBulletin can be updated simply within their administration panels, but custom built apps in things like Ruby on Rails will require in-depth code auditing by developers. Regardless, this is the most critical component, because if the web application itself is not secure, it presents a wide open door for intrusion that no additional amount security can truly make up for.