Security and Privacy for Web Sites, Online Applications and Online Shops - Part 1

by: Brad Dixon




Security and Privacy for Web Sites, Online Applications and Online Shops - Part 1.

Online applications, whether these be stores or portals to other business information are very much on the increase. It would be fair to say that most businesses today either have some form of portal or are losing business to a competitor who has one.

I have been writing code for these portals since the mid 1990's at first the code would be primarily for a Kiosk either located at the businesses premises or in a shopping centre. These would provide unassisted information or pricing on this businesses products or services. We would only adopt them for the Internet, just because we could. "How times have changed".

These portals are excellent for presenting company data to customers, prospective customers, employees or contractors.

The problem is that by presenting this data on the Internet you also allow billions, that's right billions of others the opportunity to access this data. How long would you stay in business if the competition got a hold of your client list ? What would happen if you're clients credit card details where stolen and they where used online to buy all sorts of wares? Not nice thoughts.

Some attacks are not even this blatant. Sometimes a hacker will steal all your companies data and blackmail you for the return claiming the payment as a "Security Audit".

Over the next few weeks I will be writing several articles on security and how best to secure your Online Stores and Portals on the Internet. These articles are intended for an audience of both company owners and web application programmers. They will be more conceptual than technical. If anyone requires any technical clarification they can contact me direct.

User accounts -

User accounts are a primary source of access for most sites. There are many security issues to cover here.

Firstly what is the password policy for the site?

I have seen so many sites where the web developer uses a htaccess file or some other simple form of access whereby only one username and password is distributed. People ring reception and ask for access and this "Generic" password is given out. Why even have restricted access? You may as well open this site up to the world, the world has the password.

Other companies go a little further by asking prospective users to Email for the password. You may think that then you have screened all users for the password. But where are these users now? Who do they now work for? When is the last time their password was reset? ... That’s right it is all just too hard. If you where to reset this password now then 10's or 100's of legitimate users won’t be able to get access and they will be ringing you direct. So lets just leave it be...

Don't use single user password access!

Take the effort to give every user an individual username and password this way periodically the user database can be cleaned out.

Which brings us to the next point, when is the last time you "cleaned" the online user database? If like most corporations never or at least not in the past few months. I still have access to websites, portals and servers that left my services over 5 years ago. (Thankfully I'm a nice guy ;). Make sure your portal or applications have a password policy system that disables accounts after an extended period of inactivity. Make users change passwords, even if it is once or twice a year. Manually clean out deserted or old accounts from your backend system on a regular basis.

This article and the rest from the series can be found on the following rss feed -
http://www.search-engine-optimise.com.au/articles.xml