Best Practices for Web 2.0 Security

Updated: April 30, 2009

Web-based applications give employees, customers and business partners access to a variety of useful software services that can be easily updated. The technology also provides access to a central business resource — the Web server — and through it, the ability to tap into other key information assets, such as database servers.

The downside is that Web applications are vulnerable to both internal and external threats. Fortunately, by understanding and implementing proper security measures, a business can guard precious IT resources from Web-based attacks while providing a secure environment for Web-application users. Here's a rundown of the Web 2.0 security best practices you need to be aware of.

Encryption: Since data usually passes over the Web in the clear, high-quality encryption will ensure that valuable data can't be intercepted and exploited by nonauthorized parties. Unfortunately, many businesses still don't encrypt their data, mistakenly believing that the process is too difficult, time consuming or expensive, not to mention that it degrades performance. Such businesses need to realize that modern data-encryption technologies are easy, fast and inexpensive. Additionally, today's high-speed CPUs can easily handle data encryption on the fly.

Weak Validation: Interactive Web applications are highly vulnerable to user-input validation attacks. Web applications that fail to perform thorough validation of user-input screens pave the way for attacks on the Web server and connected resources. Shutting down this vulnerability requires a complete examination of all internal and external Web applications to uncover potential validation weaknesses.

Dangerous Configurations: Many businesses make the mistake of running Web servers within insecure default configurations. Examples are superfluous administrative tools, utilities placed in locations that attackers can easily detect, and unnecessary templates and samples that attackers can exploit. It's important to check for the presence of these items and to either remove or reconfigure them.

Data Storage: When business owners, managers and network administrators think about Web-application security, their first thought is usually about critical company data flowing across unprotected networks. But data is also at risk when it sits unprotected on a storage device . That's why it's crucial to store all Web-application data on protected servers. Disk-based encryption is also a must. Another necessary step is to ensure that temporary files don't inadvertently become permanent, allowing attackers to steal and exploit critical company data . In other words, check to see that your applications are automatically cleaning up after themselves.

Maintenance: The way a business handles its systems and operations can play a pivotal role in Web-application security. Testing and evaluating applications for potential weaknesses whenever they have been changed or updated is particularly important. Even more crucial is keeping Web servers current with the latest vendor-issued security patches and updates . Finally, if you haven't already done so, implement and maintain a security culture that makes the protection of data and end users a top priority.

Web-based applications can be as safe as — or even safer than — their traditional counterparts. Wall-to-wall Web-application security simply requires a commitment to follow a relatively small set of best practices.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more