Source: High-Tech Bridge
We live in an uncertain age – trust is all important, yet online it is in short supply indeed – according to figures from Sophos, an amazing 30,000 websites are hacked every day to distribute malware to unsuspecting visitors. This vast figure can be attributed to the ease with which hackers can find and exploit vulnerable websites – both the Panama Papers Gate and Ashley Madison were compromised via insecure websites, and show that size is no defence. Gartner completes the concerning picture by pointing out that the vast majority (70%) of vulnerabilities exist at the application layer, not the network.
However, for companies attempting to mitigate web security threats, there has been no choice but to purchase very expensive manual penetration testing, or alternatively rely on automated software riddled with false-positives – according to a recent NCC research, even the best-rated vulnerability scanners return at least 50% false-positives (vulnerabilities that do not exist, but are erroneously reported by the scanner). However, the biggest risk of vulnerability scanners are false-negatives – real vulnerabilities that security software is unable to detect due to their complexity. Unfortunately, reliable and tailor-made penetration testing is simply not practical for small and medium companies – so what can web agencies and webmasters do to keep their websites secure? We’ve picked three simple areas to focus on to improve security:
- Check web server security
Before looking at your web application, you should make sure that your web server is securely configured. A properly setup, secure web server configuration can prevent many vectors of such common attacks as Cross-Site Scripting (XSS) and also protect your website visitors’ privacy. High-Tech Bridge, an experienced web security company and Red Herring Europe 2016 winner, provides a free online web server security test for this purpose. The service will carefully examine your web server configuration, its HTTP headers and do some additional security and privacy tests such as probing your cookies.
- Configure SSL/TLS encryption
How many users do you think access your website via public or insecure wireless networks? Probably at least half, according to our figures, which is why it’s essential to test how good your SSL/TLS encryption is. High-Tech Bridge also provides a free SSL security test that can tell you if your HTTPS encryption is compliant with PCI DSS requirements, NIST guidelines and multiple industry best-practices. Once you’re happy with your web traffic encryption, you can also check SSL of your email server – as High-Tech Bridge’s free service supports any protocols, not only HTTPS.
- Don’t be caught out by phishing and cybersquatting
High-Tech Bridge completes its portfolio of free web security services with domain security radar. The new service reveals various unethical, malicious or illegal activities with domain names, such as identity theft, brand and trade mark forgery, domain squatting, typosquatting and phishing.
Test the known unknowns
Now we come to the most interesting, and the most complex part – security of your website or web application. SQL injections and XSS have become the main reasons for the vast majority of data breaches these days. However, detecting vulnerabilities in the complex systems we have today requires vast manpower and computing resources, and each on its own isn’t very effective.
A recent study from MIT discovered that neither human nor machine alone was overwhelmingly successful at maintaining cybersecurity on their own, but became effective when combined. This hybrid thinking has guided the development of High-Tech Bridge’s Web Security Platform ImmuniWeb® for years, bringing the best of both worlds to the table. ImmuniWeb web security assessment is based on the award-winning hybrid technology that combines managed web vulnerability scanning with manual penetration testing in real-time, bringing together the strengths of the human brain and machine-learning algorithms in one fell swoop.
ImmuniWeb web security assessment detects the most complicated web application vulnerabilities that all other solutions miss, provides personalized solutions for each security flaw, and guarantees zero false-positives. If you are running a website based on WordPress, Joomla, Drupal or any other popular CMS, the ImmuniWeb Express package will perform a holistic and comprehensive security audit for as little as $299 – cheaper than you would pay for SSL EV certificate, and much cheaper than a simple automated scanner detecting much more security vulnerabilities.
About High-Tech Bridge
High-Tech Bridge is a strategic partner of PricewaterhouseCoopers (PwC) for web application security testing, and a globally recognized leader in the web security auditing market. Their customer base includes some of the largest financial institutions, insurance companies, and banks, as well as small and medium companies and NGOs. High-Tech Bridge has won numerous awards for technological innovation and excellence. More information: https://www.htbridge.com/