Clarify five misunderstandings about web site security
at present, hacker attack has become a very serious network problem. Many hackers can even break through SSL encryption and various firewalls, break into the interior of the web station and steal information. Hackers can only rely on the browser and a few skills, that is, to obtain the customer credit card information and other confidential information of the web site
with the gradual standardization of firewall and patch management, all kinds of network facilities should be more complete than before. Unfortunately, hackers have begun to deal directly with web sites at the application level. Analysts at Gartner, a market research company, pointed out that 70% of hacker attacks currently occur in applications. To enhance the security of Web sites, we must first clarify five misunderstandings
first, "the web station uses SSL encryption, so it is very secure"
SSL encryption alone cannot guarantee the security of the station. After the station enables SSL encryption, it indicates that the information sent and received by the station has been encrypted, but SSL cannot guarantee the security of the information stored in the station. Many stations use 128 bit SSL encryption, but they are still broken by hackers. In addition, SSL cannot protect the privacy information of station visitors. These private information is directly stored in the station server, which SSL cannot protect
second, "the web station uses a firewall, so it's very safe"
the firewall has an access filtering mechanism, but it still can't deal with many malicious behaviors. Many stores, auction stations and BBS have installed firewalls, but they are still fragile. By setting up a "guest list", the firewall can exclude malicious access and only allow friendly visitors. However, how to identify goodwill access and malicious access is a problem. Once the access is allowed, the subsequent security problems cannot be handled by the firewall
III. "vulnerability scanning tools have not found any problems, so they are very safe"
since the early 1990s, vulnerability scanning tools have been widely used to find some obvious network security vulnerabilities. However, this tool cannot detect the station application and find the vulnerability in the program
vulnerability scanning tool generates some special access requests, sends them to the web station, and analyzes them after obtaining the response information of the station. The tool determines the difference between the sensors used, compares the response information with some vulnerabilities, and reports security vulnerabilities once suspicions are found. At present, the new version of vulnerability scanning tool can generally find more than 90% of the common security problems of the station, but this tool also has a lot of powerlessness for the station application
IV. "the establishment of the standing alliance has caused the safety problems of the program for converging the advantageous resources of enterprises, colleges and universities, and scientific research institutions within the thermoplastic elastomer material and product industry alliance"
programmers do cause some problems, but some problems programmers cannot control
for example, the source code of the application may initially be obtained from other places, which is beyond the control of the internal program developers of the company. Or, the company may invite some offshore developers to make some customized development and integrate with the original program, which may also cause problems. Or, some programmers will use some free code to make modifications, which also hides security problems. To take another extreme example, there may be two programmers who jointly develop a program project. The code they develop separately is safe, but when combined, there may be security vulnerabilities
realistically speaking, software always has vulnerabilities, which happens every day. Security vulnerability is just one of many vulnerabilities. Strengthening staff training can indeed improve the quality of code to a certain extent. However, it should be noted that anyone will make mistakes and loopholes are inevitable. Some vulnerabilities may take many years to be discovered
v. "we conduct security assessment on the web site every year, so it is very safe"
generally speaking, the code of the site application changes quickly. It is necessary to conduct an annual security assessment of the web site, but the situation at the time of assessment may be very different from the current situation. As long as there is any change in the station application, there will be hidden dangers of security problems
stations like to upgrade applications on holidays. It is a typical peak season to accept social supervision at Christmas. Stations often add many new functions to the positive conduction of Zener tubes, but they ignore safety considerations. If the station does not add new functions, it will have an impact on business performance. The station should arrange professional security personnel at all stages of program development