When building up a Web site you should consider all layers for security.
When building a commercial Web site, security is one of the most important issues to consider. A good understanding of the layers used in the delivery of a solution, as well as knowledge of the types of threats will always help. When you look at any web development, these layers are: the foundation, the physical computers, the network, operating systems, applications, the development and underlying code.
Understanding where the weakest link is in these layers will help the business address those weaknesses. The hardware and operating systems are found at the base of these layers. The security around these are managed with patches for both firmware and software updates.
The next layer of threat is how and where you store your data. This will involves both the software and the hardware arrangements. Looking at how the data can be accessed and who or what accesses it can be important. A good practice is to ensure that your data is not accessible by the web. Make sure that it can only be accessed by a call from you application layer with a trusted internal link. These applications need to be maintained with their respective updates, fixes and patch releases. With patches and updates, implementation should always be after extensive testing and understanding of the benefits.
Another layer contains the web servers and application frameworks. Many of the modern development languages now have well-defined frameworks that provide some of the tools to building better solutions.
The final and weakest layer is the flaws that arise from badly developed business logic and known vulnerabilities. There are many sites on the web warning and advising developers of these vulnerabilities and their proposed fixes and solutions.
When engaging this area of development, you often need someone with experience in this field to help. The web provides many examples of people, consultants, companies, products and services to aid in this field. The more astute the average hacker becomes, the more we need to be mindful of this issue and seek the relevant security expert.
In a previous development project undertaken by my company, one member of the staff did not agree with my choice of development environments. They hacked a commercial web site which was using a similar environment. By doing so, they illustrated that it was their knowledge of the vulnerabilities of the underlying web services and not my choice of development environments.
This example highlights the need for securing all layers and not just the development layer of the project. Security failures happen for many reasons. They could be caused by hackers, disgruntled employees or a lack of knowledge of the environment.
There are no totally secure systems. The only way to guarantee total security is to unplug from the net. Of course, that is not practical. You simply have to be cognizant of the layers of dependencies and manage the risk.
This article has been published on to sites around the world.
