3.9 Chapter Summary
Given today's computer system security vulnerabilities, organizations need to take action to ensure that security controls and procedures are implemented and that security testing is performed on the Web system before it goes live.
E-commerce Web systems have particular security concerns because they handle sensitive and personal information.
The port scanner and the network monitor are two types of utilities that are useful in the evaluation of Web site security. Port scanning is used on a host server or a range of hosts to determine whether they are exposing services on some or all ports. The network monitor, or sniffer, examines packets that are being transmitted across a network.
Securing a server involves two steps. First, it is necessary to secure the base operating system. Second, services running on the server need to be secured.
Web and application server security involves the proper operation of user authentication and access control, as well as a detailed examination of the Web system components that are used to drive dynamic and interactive content.
The effort to secure a Web site's database involves more than securing the database host itself. Web system components or other data retrieval mechanisms that operate on the data residing in the database must be properly designed and implemented to protect against database content attacks.
User accounts, file systems, and server software running on the database server must be properly configured to prevent unauthorized access by an intruder.
In recent years, a number of security flaws have been uncovered with many client-side technologies. Flaws in many Web browsers can be exploited by malicious scripts or applets to work around the security of the browser. As these flaws are identified, Web browser vendors have generally been quick to fix the problem and to distribute a patch.
Some technologies, such as ActiveX controls and cookies, can be used by a malicious intruder to open up potential security problems on a visiting Web user's computer. Section 3.4 provides guidance on ensuring that computers and the private data of Web users visiting a site are not made vulnerable to intrusion by attackers through the use of ActiveX controls and cookies.
Secure communication protocols, such as the Secure Sockets Layer (SSL), are available. SSL is an encryption protocol that enables two parties to communicate over a network in an encrypted form.
Several elements are involved in establishing a secure communications session between a browser client and a Web server, including Web server possession of a valid certificate, configuration of the client computer with the public key of the certificate authority, client authentication of the Web system server, and client generation of a session key.
Section 3.7 provides strategies for evaluating the security of a Web system through the conduct of step-by-step procedures addressing authentication, authorization, content attacks, database security, client computer security, communications, and the network.