Web security is administration of protections on websites, web applications and web services. They are protected from external attacks and interruptions by other human connections in the universe. Protective measures are administered in internet and web systems.
Protective measures to be administered in the web sites make considerations on data entry error checking through forms, filtering out and concealing of information through the means of a coder by a web machine. Application of SQL injection is also done by web users with original knowledge about the internet. Written documents provide more details on websites. It helps to prevent people with little knowledge on the internet from accessing web services because they are the main cause of threats to internet (Sullivan, 2012). The source of the internet service or the environment of the server is also a significant consideration. Scripting languages tends to differ with the server environment. Different languages such as Ruby, Python, Perl and PHP are used causing hindrances in provision of web security. Where contact form as been included in a website, captcha field is incorporated to avoid automatic filling and mail spamming of computer programs.
Implementation of web security is associated with circumstances that destruct protection measures applied by web developers. They adversely interrupt the modifications, functions and reputations developed to ensure availability of web security. The most common threats are either software defects or configuration errors. They include design flaws, coding errors, access control misconfiguration and unnecessary services (Cross, 2007). Decisions made during the time of designing a system (for example architectural level error) may cause insecurity to the system. Inappropriate code controls lead to a variety of errors. Software with default configurations is easier to install. One may decide to install such software that allows connections that are not suitable. Improper configuration of reference monitors in software is prone to most web developers making the web service not secured.
Threat modeling is an approach used in monitoring, accessing and analyzing threats that are mostly encountered in the application of web security. Threat modeling is aimed at reducing security risks during designing, development and operations that help in making reliable decisions in web application. Web applications are most vulnerable since the developers have little time to work on them or even lack resources for their development. They may also be developed by people who have not undergone security training (Hope, 2009). Web application may is secured by analyzing the threats and vulnerabilities in security related functions. Threat modeling should start from the time of designing a web application and continue throughout the application life cycle.
When dealing with security by configuring web servers, database software and operating systems, a systematic approach is developed in such a way that various components play their significant roles in security development. The system offers input validations which check whether input integrity and input origin come from a valid user (Cross, 2007). The modification of the application makes it able to authenticate the users as well as authorizing them to use the application. The application should run with the least needed privileges and connect to the collect database. If the application operates with sensitive data, it should use a suitable method to protect confidentiality and integrity of the data in transit and data at rest. The application should be able properly to manage error information reported to its user to avoid information leakage and use cryptography to protect data and message confidentiality and integrity. Finally, the system should be organized so that it can keep records of different users.
Schema for protecting network from attacks can be developed through integration of SPI’s web inspect Enterprise Edition vulnerability testing software and Net continuum’s NC-1000 web security gateway. It allows scanning of vulnerable information from the web inspect hence directly read by the NC-1000 and converted into security policies and configuration changes that protect vulnerable applications. This method of integration is important since it saves time and reduces the effort of manual building of those policies by the administrator. A firewall also protects networks from Denial of Service (DoS) attacks through packet filtering. Through validation of Simple Object Access Protocol messages in an external application gateway, the web service can identify all non-valid messages and rejects them or validates them. The system is therefore able to capture all web attacks giving the administrator a chance of preventing them
Documented processes or procedures can be used to recover or protect information technology of business during the time of disaster. It should be associated with information technology of the business, assets and its facilities. Security plans for disaster and disaster recovery should be based on preventive, detective and corrective measures. Preventive measures will prevent a disaster from taking place. Detective measures will monitor any abnormal occurrence in an Information Technology infrastructure while as corrective measures involve storage of crucial documents in the disaster recovery plan (Hope, 2009). Management of organizations needs to be committed in developing the plan. The planning committee should be formed to supervise the implementation of the plan. The risk assessment should also be done to gather all possible disasters. A data collection session is carried out as well as determining all recovery strategies to be involved for the full solution of the identified disasters. These measures are made more effective through installation of fire alarms, use of up-to-date antivirus software as well as installation of server and network monitoring software. Routine inspection of devices is also recommendable for the disaster resolution. The server gets information on the daily condition of his devices. The disaster is, therefore, said to have been fully controlled hence reducing chances of risks in business activity.
Cross, M. (2007). Developer's guide to web application security. Rockland, MA: Syngress Pub
Hope, P., & Walther, B. (2009). Web security testing cookbook: Systematic techniques to find problems fast. Farnham: O'Reilly.
Sullivan, B., Liu, V., & Howard, M. (2012). Web application security: A beginner's guide. New York: McGraw-Hill.