How secure are your web services?

Online security has again been in the news recently with reports that thousands of logins for webmail services such as Hotmail, Yahoo, and Gmail have been compromised and details posted online. Here we list some key areas that both web service providers and internet users should always keep in mind to help protect themselves on the web:

1. Security updates. It is essential to keep up-to-date with the latest security updates in order to remain protected against new online threats. Users should accept and install automatic updates when offered (eg. Windows Updates) and ensure that they are running the latest version of their web browser, including any plug-ins it may use (eg. Java, Flash). Similarly, web services should ensure that software installed on their servers is fully patched and updated, as many hacking attempts will seek to exploit known vulnerabilities in older software libraries.

2. Password security. Since passwords commonly provide access to sensitive data and otherwise restricted functionality, they should be handled with utmost care by both applications and their users. A secure web service should encourage users to choose a ‘strong’ password (eg. containing a mixture of uppercase/lowercase letters and numbers), and can limit automated guessing attempts by temporarily locking accounts which have too many recent failed logins. In addition, applications should always store passwords in an encrypted format, so that unauthorised access to them would not in itself compromise user accounts. Users themselves must also play their part: even the most secure application cannot guard against usernames and passwords being written on post-it notes stuck to monitors. Similarly, the same credentials should never be used to access different websites, as this reduces the security of each login to that of the least secure service.

3. Insecure channels. Logins to a secure web service should occur over HTTPS (Hypertext Transfer Protocol Secure), which is indicated to users by the presence of a padlock icon in their browser. Where HTTP is used (ie. no padlock visible), usernames and passwords are sent over the internet in plain text, meaning they are visible to anyone monitoring (or ‘sniffing’) network traffic. Email is an equally insecure channel, and should never be used to share confidential data or send usernames and passwords together. As a result, forgotten password functionality that prompts an e-mail message containing reset details always needs to be implemented carefully. For any web application, it is key to note that information not readily visible to users is not necessarily secure: both hidden form fields and cookies may easily be accessed by a canny user, making them an unadvisable place to store passwords or other sensitive information.

4. Security holes. Web services should seek to protect themselves against a range of common security holes that may be used to gain unpermitted access to data or user accounts. A skilled user can often find ways of compromising security by tampering with the URL in the browser’s address bar, or by entering special values into forms, causing the application to output unauthorised information or deliver malicious content to other users. A secure web service will guard against this by correctly handling and sanitising all user submitted values.

5. Regular checking. With the next new threat always on the horizon, online security should be seen as an ongoing area of focus for both users and applications, rather than an issue that can be reviewed once and then forgotten about. For users, we’d recommend weekly system scans to ensure that desktops and laptops remain free of viruses etc, always ensuring first that the relevant anti-virus software is fully up-to-date. For applications that are constantly evolving and incorporating new technologies, regular checking and reviews can help to prevent vulnerabilities from being introduced, and ensure that their users can continue to use them with confidence.