Security Auditing

Security is becoming an ever more important aspect of owning a website.

Website visitors need to feel confident that their personal data is safe.

On average 30,000 new websites are hacked every day

Forbes

Most of these websites are usually legitimate businesses that are unwittingly distributing malware to their website visitors for days, weeks or months after being hacked.

I'm already using SSL/HTTPS

Just having an SSL certificate doesn't mean much if your web server or hosting is configured to allow the use of older, less secure cipher suites.

In addition, HTTPS and SSL Certificates only protect data that is "in transit" between the user and your website.

While these are important points that should be checked as part of any security audit, they're not the only thing that you need to be aware of when it comes to website security.

How vulnerable is my website?

Websites provide the largest surface area for attackers to target. There are many different ways that an attacker could use your website for attacks without you even knowing about it.

Some of the most common are...

  • Click-jacking

    This is where a hacker displays your real website inside an iframe and tricks users into clicking on links that they control by placing them as invisible clickable objects on top of your site's regular links, such as your navigation menu.

  • XSS / Cross Site Scripting This is where a hacker injects malicious JavaScripts into pages on your website. This could be done through a badly configured form on your site but is more commonly achieved through browser extensions and plugins that the user may have installed.
  • Cross-site request forgery Also known as one-click attack or session riding this is a type of malicious exploit where a hacker is able to send commands to your website while the commands appear to come from a user that the website trusts. This is usually achieved by the hacker getting tricking an unsuspecting user into submitting a web-request that they did not intend and is often done without that user even being aware that it is happening.

Of course, there are many more ways that potential attackers could target your site or its visitors. However, there are tools at your disposal to mitigate or prevent the vast majority of these attacks when they are used correctly.

What can I do to protect my site and my visitors?

In many cases there are simple ways to remove the ability for hackers to perform such attacks by having your website send special instructions to the visitors browser.

As part of a security audit you should receive a report that details all of the steps that you need to take to fully secure your website from these kinds of attacks.

Once you have the report you can have your developers make the changes or you may contract me to do so.