Friday, June 8, 2012

Keeping Your Customers Safe on Your Site

Is your web environment secure? All of it?
By David Maman, CTO of GreenSQL

Many people believe that if they’ve installed a network firewall, they’ve done their duty. They think that a firewall is like a strong barrier or moat protecting their information assets and that no more is needed.Wrong!

Just as in times of old, tunnels can be dug under the moat, ladders can be used to scale the wall, and secret passageways can be found into the castle.

Here are a few facts for you to consider:
1. Identity theft affects more than 11.4 million Americans annually, according to a report from Javelin Strategy & Research.
2. Many of the largest companies worldwide have been exposed to SQL injection attacks, such as Sony, Citibank, and Amazon.
3. Internet commerce is more secure than the average mall store.
4. Chances are that your home computers have already been compromised by some sort of malware, says Dasient.

The Web Environment
A web environment has four layers that need protection: The network level, the application level, the operating system level and the database level. Most people think of these layers as being one within the other, like concentric circles. They reason that if they protect the outermost level, the inner levels are automatically protected.

However, hackers can attack a Web environment at each level independently, and security issues at each level need to be addressed.At the network level, a simple network level firewall does protect the infrastructure (access to which IP addresses, using which ports, and sometime using which protocols) but provides very limited protection, if any, to stop attacks at the application and database level.

You may have heard of bank websites having their links or text or pictures changed. Website defacement and other application level attacks take place because someone, at some point in time, wrote sloppy software with security holes. Hackers specialize in using exploits, XSS attacks, SQL injection, and other techniques to attack these vulnerabilities at the code level.

One approach to prevent vulnerabilities is to have a professional code review of the software in use in the Web environment to identify and address coding security issues. Many times, legacy applications are being used, so it’s almost impossible to change anything. Of course, reviews are only as good as the reviewers, and no one should ever review their own code. It’s much too easy to overlook one’s own mistakes.An additional and important approach is to update all the applications in use and to harden your web and database servers. For example, one Oracle update release included 78(!!) security updates.Another option is to use a signature-based approach to spot and then quarantine this kind of attacks. Each application level attack has a “signature” or typical way of operating that identifies it. A comparison of web application firewalls (WAF) shows that some are more effective than others, but none is perfect.

The database level, the fourth essential layer in a web environment, needs protection from attacks directed at the database. In the end, most of today’s common attacks are aimed at retrieving sensitive information from the database via website attacks exploiting database vulnerabilities. This makes the fourth layer the most crucial one.

So, for security, check all four: Network, application, operating system and database. To make sure your information assets are protected, your best bet is to use an integrated database security solution that is non-disruptive to existing software and databases, is easy to install and use, and provides extensive management reporting and audit trails, all without degrading responsiveness to users.

You can find effective security protection at a reasonable price. Just make sure you do your homework. You need network, application, operating system and database security.

David Maman is CTO & Founder of GreenSQL, which offers a unified database security solution (

No comments:

Post a Comment