The substance of your URL, apart from being the banner of the enterprise’s online presence, is your website itself which is built with computer text processing software components such as HTML (Hypertext Markup Language), CSS (Cascading Style Sheets) and JS (Java Script), along with your written content and other visual assets.
If you have a tailored web application, which is essentially a more dynamic or interactive website built by a dedicated team of developers, you need to make sure to have security requirements that your developers can follow when designing it and writing the relevant code. Integrated platforms known as Content Management Systems (CMS) automate the building of a website through user interfaces that literally allow you to click and choose pre-designed/coded parts of a website to implement your vision. You can easily create and publish web pages provided you have purchased a domain name and subscribed to a hosting service.
A website implemented with or without a CMS provider, needs to be security assessed in the context of either approach: a site built from the ground up through a web developer coding directly via HTML, CSS, and JS will have inherent vulnerabilities. A site built in the factory-sense through a CMS will have an additional layer of vulnerabilities relating to the software of the CMS provider.
They all attempt to identify website configuration issues relating to the following: code injection, broken authentication, sensitive data exposure, XML External Entities (XXE), broken access control, security misconfigurations, Cross Site Scripting (XSS), insecure de-serialisation, use of components with known vulnerabilities, and insufficient logging & monitoring.
A long list of potential issues, indeed, but for the purposes of this part of our info-series, we merely want to give you a sense of the breadth of risks. Crucially, there are very efficient tools for your administrators to test the code with which your website has been built and they suit all budgets. If your website is more than a static site and has dynamic functions such as web applications, be sure to carry out a web application vulnerability scan or better, a web application penetration test.
This concludes Part 3 of our info-series on email & website security. Next week, we bring you Part 4: Building your own website is easy, but do you routinely update the software?
We hope you enjoy reading our research, designed for professionals who are not IT experts but thirsty for knowledge about the everyday tools to operate a business – your email and website.