This aspect has not been opted yet by too many organizations but is an integral aspect for maintaining the secrecy of the future plans and upcoming actions of that particular organization. Web sites are unfortunately prone to security risks. And so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk.
Threat and Vulnerability Management
Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.
Is Your Site or Network at Risk?
Web Security has another aspect in relation to public. There are few essentials over which the security of the website depends:
When a website generates important assets or become a public spotlight, it becomes prone to high risks of web security. The number of bugs that could create web security issues is directly proportional to the size and complexity of your web applications and web server. The more complex websites are the more bugs they will invite.
Any web-based form or script installed at your site may have weaknesses or outright bugs and every such issue presents a web security risk. The balance between allowing web site visitors some access to your corporate resources through a web site and keeping unwanted visitors out of your network is a tough one.
There is no one setting, no single switch to throw that sets the security hurdle at the proper level. But there are dozens of settings if not hundreds, that Smartech can suggest in a web server alone, and then each service, application and open port on the server adds another layer of settings. And then the web site code... you get the picture.
A common web site attack involves the silent and concealed installation of code that will exploit the browsers of visitors. The owners have no idea that anything has been added to their sites and that their visitors are at risk. In the meantime visitors are being subject to attack and successful attacks are installing nasty code onto the visitor's computers.
There are two roads to accomplish excellent security. On one you would assign all of the resources needed to maintain constant alert to new security issues. You would ensure that all patches and updates are done at once, have all of your existing applications reviewed for correct security, ensure that only security knowledgeable programmers do work on your site and have their work checked carefully by security professionals. You would also maintain a tight firewall, antivirus protection and run IPS/IDS.
Your other option: use a web scanning solution to test your existing equipment, applications and web site code to see if a 'KNOWN' vulnerability actually exists. While firewalls, antivirus and IPS/IDS are all worthwhile, it is simple logic to also lock the front door. It is far more effective to repair half dozen actual risks than it is to leave them in place and try to build higher and higher walls around them. Network and web site vulnerability scanning is the most efficient security investment of all.
If one had to walk just one of these roads, diligent wall building or vulnerability testing, it has been seen that web scanning will actually produce a higher level of web security on a dollar for dollar basis. This is proven by the number of well defended web sites which get hacked every month, and the much lower number of properly scanned web sites which have been compromised.