How secure is your site? For most businesses, web security isn't a priority until it is too late. Most sites preyed upon by today's web criminals won't even know that their data has been compromised.
Keeping your server software current, such as Apache and PHP, is only the first step in a comprehensive site security plan. These generic software packages are kept up-to-date by your IT department or website host and used to be the primary means of attacking a company's web presence. However, with the prevalence of web applications being written by both in-house and outsourced development teams, the security of your website now depends on each of the programming teams involved.
Security audits are the only way to prevent unaccounted bugs and holes from releasing all of your website's data into the wild and security audits are best performed by a third-party. As a published security researcher, Merge's Alex Firmani has located and disclosed security issues potentially worth millions of dollars to Fortune 100 companies among numerous others. These holes exist, right now, on business and e-commerce sites around the world -- would you rather a malicious criminal or a hired security researcher find these holes in your website's security first?
Our security audits consist of multiple steps including port scanning and web server software compromise checks. The heart of the audit is the web application penetration testing. Your custom web applications and e-commerce modules will be put through a battery of manual and automatic tests where we locate all possible attack vectors that are currently open on your live site. A few of the more common issues we locate include:
- open email relays allowing criminials to phish or simply spam unlimited amounts of email through your domain; resulting in client compromises or blacklisting of your entire domain and all email marked with that domain.
- XSS (Cross-site scripting) allows an intruder to inject javascript directly into your site's pages putting every customers at risk.
- XSRF (Cross-site request forgery) puts all of your user accounts at risk by allowing session-jacking and other account takeovers. This is the attack of the future and the one that most sites are woefully unprepared for. Almost all account management forms found on the web are easily hacked by XSRF tricks.
- Unchecked form attempts give criminals the ability to flood your servers with requests and submissions with the accompanying chance of brute-force hacking out account data.
While these may sound like pie-in-the-sky theoretical security issues (or more importantly, if it just sounds like a bunch of tech jargon) it is very likely that if you run any sort of custom programming, your site is currently vulnerable to one or more of the attacks listed here. Most site owners don't pay attention to their site's security until it is already an emergency situation. How many credit card numbers were stolen? How many user accounts were compromised?
Rather than answer those questions after your site has been compromised, contact us today to locate and secure these holes before a criminal does.