Website Security

This is an overview, I am not going to talk about specific website security threats and vulnerabilities because there are thousands. Why can I say this? Because there are thousands of programs that run on web servers, each has its own security issues. Some of these programs are scripting language interpreters and thus any script written to run under them also has its own security issues. No company producing a product intended for use on the web can claim it is secure because users can always find ways to misuse it to make it insecure or to make layers on which it depends insecure.

Your PC is under constant threat of being hacked into by someone on the internet. Low-lifes are scanning machines for open ports and other weaknesses they can exploit. Microsoft, Apple and the Linux community are constantly releasing updates to their operating systems to deal with these threats and vulnerabilities. Your website is right out there on the internet, it needs the internet to run so it is likely more vulnerable than your PC.

The biggest reason for PC and website vulnerabilities is simple: complexity. Thus:

Rule 1: Complexity is the enemy of security.

Adding features to an operating system also adds vulnerabilities. Installing a new program that uses the web adds new vulnerabilities. Installing a window or door in a home introduces additional security risks, does it not? A new phone line brings a host of added vulnerabilities. Inviting old Aunt Mable (who is getting Alzheimers) to come and stay could also be a big security risk. There are so many things to think about.

The doorways into computers are called Ports. Programs talk through these virtual doorways. The messages flying around the internet have the port number in their header, that is how a computer knows which program to send an incoming message to. The foundation of most security systems is to minimize the number of open ports (the ones being watched by the operating system). There are thousands of ports. There are likely dozens of programs on your computer that use ports and many of these want to use a specific port number that the computer world has agreed on.

While web servers also talks on ports, this aspect of security is not as important since the server has only a limited number of programs that use them and the manner in which they communicate is focused and has been closely scrutinized by thousands or people to make them secure. Of course, website designers can figure out ways to make them insecure!

However, security on a website is much more abstract. It is much like neighborhood security. Houses have many weaknesses that can be exploited by would-be criminals. Often things about houses actually invite invaders (e.g. an open gate, a window obscured from street view by a bush, an unlocked car, etc). Most of the recommendations of a security consultant are going to be simple common-sense things. It is the same with a website. Would you say it would be smart to install a very complex electronic security system on the site if you had not taken care of the simple things? Would it be smart to have a system that you do not even understand? Such a thing may actually be an impediment and a weakness. A website is the same, you need to understand it before you can protect it. Thus:

Rule 2: If you do not understand how your website works, then it is not secure!

There is no question about it, people who know the least about computers get the most viruses by far and they get hacked the most. Think about this again. If you hired a security consultant, would you not have to explain to him/her how the site works? Can someone sell you a house and tell you that it is secure? No. You are the website security, what you do or do not do is what makes it secure. But you do need to study general residential security and be alert to new techniques being used by criminals.

Thus, the philosophy promoted for other aspects of a dreamsite holds true again. It is better to have something simple on a website that you control and understand than have something complicated that you do not. By starting simple you can think about the threats and vulnerabilities and shape the site development accordingly. If you always go down roads that you understand then you will also understand or reason out the associated threats and how they relate to existing threats. So parallel growth in knowledge about the way a web site works with growth of the site itself. You might think that knowledge needs to be ahead of web site development, but this is not really the case. They grow together, development of a new feature on a site is actually part of the education. If you create something specifically adapted to yourbusiness.com on the web, then there is no security expert trained in what you have made, you are the expert. You are the dreamer. So you need to dream about security also.

Only custom-written web components can go down any road you choose!

Suite 407, 1595 Southview Drive SE, Medicine Hat, AB T1B 0A1
Answering Machine: (406) 662-0136, FAX: (866) 223-7132