4 Ways To Secure Websites & Apps
obviously hacks and breaches have a huge negative impact on companies from the loss of customer trust to financial losses leaked user data legal issues and the list goes on now if you go and do a quick google search on how to secure your website or application you're gonna get a lot of garbage i was actually so disappointed at the clickbaity articles that actually did not explain or give any useful information most of them suggested that you use backups use strong passwords and make sure you use https but backups don't secure your website they simply help you recover also using https encrypts the communication but it doesn't really secure the website the only one useful tip was use strong passwords but most hackers are not gonna sit down and try to guess the password like you see in hollywood movies they're gonna rely on vulnerabilities and weaknesses within your application and they will exploit them to gain access to it regardless of what password you use even if you have a very very complex password even if you're using https and even if you have backups a lot of this is actually irrelevant also it doesn't really matter where you have the application hosted whether you're using aws or any other cloud provider and it doesn't matter how you're deploying this application if you're using kubernetes or if you're using docker it doesn't really matter it's actually very very simple if you have a vulnerable web application then hackers are going to use these vulnerabilities or weaknesses to gain access to this application so anyway enough ranting let's talk about how to actually secure websites and applications first of all before we start talking about it it is very important to understand that achieving 100 security is impossible all which we are trying to do is to improve the security of our applications and make sure that they are as secure as possible with that being said the following four approaches will help you improve the security of your applications regardless of what kind of applications they are and regardless where they're installed like i said doesn't matter if you install them on amazon or anywhere else on aws or anything else and it doesn't matter how you're deploying it if you're using docker, etc.....
1. Secure Code
so the first thing that you should do is make sure that you are writing secure code this way your application is built from the ground up to be secure and to not introduce any bugs or vulnerabilities that can be exploited by hackers to gain access now this would be great if you can do it but the problem is it's easier said than done because the developers need to be educated and taught the methods that hackers use to exploit systems and gain access and even if you do that a lot of the time developers rely on third-party libraries and the whole application might be written by someone else therefore you simply cannot write secure code because you're not actually the writer or the developer of this application
2.Review The Code
Which brings me to the second point review the code this is actually really good even if you wrote the application yourself and even if you made sure that you write secure code it's a really good idea to get that code reviewed by other developers or another team just in case the developers that wrote the application missed something or overlooked something then it will be caught at the review stage also if you were using code written by other developers or third party libraries then again a code review will fix this problem because you can review any everything and again this is really really good because you're actually reviewing every single line and making sure that nothing is vulnerable or will allow hackers to exploit your application and gain access the main disadvantage here is that if you have a large code base this could be very time consuming and it could also be very expensive
3. Get A Pentest
The third approach which is very essential in my opinion is getting a pen test done in appendix you basically hire a team of ethical hackers to try and hack your application these ethical hackers will approach your application the same way that black hat hackers do they're gonna try to gather as much information as possible discover all the weaknesses and vulnerabilities and see if they can exploit them to gain access at the end when they're done they're going to give you a detailed report of everything they found so you can pass it to your developers and patch any vulnerabilities they discover the main advantage of this method is you could test attack surfaces that you cannot test with other methods such as your servers that are running your web application and the weakest link which is the employees so these hackers the ethical hackers can even use social engineering and chain it with other simpler attacks or simpler vulnerabilities that they might find on your system to see if they can use them to gain access the disadvantages here is that it could be a little bit expensive and it's not future proof what i mean is if you get your application tested today by really good ethical hackers and then make sure you patch every single vulnerability they find this only means that your web application is secure today it doesn't guarantee that it will remain secure for the next month or next year because every single change you make every feature you push or every even display bug you fix might introduce other bugs or security weaknesses that can be then used to hack into your application not only that but again if you're updating third party software or plugins again all of that could introduce vulnerabilities and a pen test will not be able to catch that because you're only doing the pen test today and these future changes are not going to be tested
4. Run A Bug Bounty Program
The fourth approach which can actually address this issue is having a bug bounty program a bug bounty program is basically an invitation to all ethical hackers around the world to test your application and submit their findings and you would only pay for valid bugs or valid reports the main advantages here as you have guessed probably by now is that you're getting your application tested by a large number of hackers so the chances of them finding vulnerabilities is higher and it's actually future proof because as long as you have that bug bounty listing live these hackers will always continue to test your application and you motivate them with bounties so this could be anything from a t-shirt to actually monetary awards to make sure that they're actually gonna continue testing your application so even if you're pushing new changes new features or updating stuff it doesn't really matter because hackers will continue to test your application hoping to find bugs and get bounties for their findings that's why large companies like facebook and google use these bug bounty programs even though they follow all of the other approaches like i said they still use this to make sure that their systems are always as secure as possible and as free of bugs as possible the disadvantages here is first of all it's hard to guarantee that all attack surfaces are covered and second is a lot of companies don't have the reach that google and facebook have so they can't really advertise their bug bounties as well as the big companies do they can't get a lot of ethical hackers to test their website it is challenging for them to make these bug bounty programs and validate these submitted reports
Post a Comment