- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Is your company's Web site hacked? Today, it can be hard to tell. Online crooks who successfully break into a site often sneak in small bits of code that leave no visible trace but can attack visitors who simply view the page.
In fact, according to a Websense Security Labs report (pdf), online thugs who want to spread their viruses, Trojans and other malware are more likely to hack an existing site than to put up their own poisoned page. Of the malicious sites the company found in late 2004, more than half were hacked sites.
To find out how a company can protect its site and its good name from being hijacked, I talked with Jeremiah Grossman of WhiteHat Security at last week's RSA security conference here in San Francisco. Grossman has made a big name for himself over the last couple of years by getting the word out about common Javascript vulnerabilities in Web sites.
His company helps secure sites by scanning for exploitable holes, but the custom service for his mostly enterprise-level customers doesn't come cheap. So I asked him for tips and suggestions that can help protect all sites, big and small. Here's what he said.
First, know where to look. Grossman says most exploitable vulnerabilities lie in the Web application layer, where custom code handles the communication between the Web server software and the database back-end. This makes sense, because a piece of Web software written by your own software developers isn't going to undergo the same security testing as say, the Apache Web server or an Oracle database (though said apps are subject to plenty of vulnerabilities themselves).
So Grossman says to make sure your developers are using current development tools, such as Ruby on Rails, and not old, outdated tools such as Classic ASP that can introduce holes.
Next, he suggests that you look into using a hosting provider instead of maintaining your own network and Web servers. Again, such companies don't provide guaranteed security, but they're more likely to keep systems up-to-date with security patches than a single, often-overworked systems administrator at a small company. I've worked as a sysadmin, and I know first hand how applying patches can often fall to the bottom of the to-do list when there are fires to fight.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (1)
Securing your site and your reputationBy Anonymous on April 17, 2008, 6:58 pmI received a cannot access server error when I tried to download the pdf link near the top of page 1.
Reply | Read entire comment
View all comments