At present, hacker attacks have become a very serious network problem. Many hackers can even break through SSL encryption and various firewalls to attack the internal and stealing information. Hackers can use only browsers and several techniques, that is, the customer credit card information of the web site and other confidential information.
As firewalls and patch management have gradually treated standardization, various network facilities should be more complete than ever. But unfortunately, the road is one foot, the magic is one feet, and the hackers have begun directly to the Web website directly. Market Research Companies Gartner analysts pointed out that 70% of hacker attacks occurred in applications. To enhance the security of the Web site, you must first clarify five misunderstandings.
First, "Web website uses SSL encryption, so very safe"
Level SSL encryption cannot guarantee the security of the website. After the website enables SSL encryption, it indicates that the information sent and received by the site has been encrypted, but SSL cannot guarantee the security of information stored in the website. Many websites use 128 SSL encryption, but they are still broken by hackers. In addition, SSL cannot protect the privacy information of the website visitor. These privacy information exist directly in the website server, which is unprotected by SSL.
Second, "Web website uses firewall, so very safe"
The firewall has access to filtering mechanism, but it is still unable to meet many malicious behaviors. Many online stores, auction sites and BBS have a firewall, but still fragile. The firewall can be excluded from the "Visitor List", which allows us to come in. However, how to identify good-time access and malicious access is a problem. Once the access is allowed, the subsequent security issues are not a firewall.
Third, "Vulnerability Scanning Tools did not find any problems, so very safe"
Since the early 1990s, the vulnerability scanning tool has been widely used to find some obvious network security vulnerabilities. However, this tool cannot detect the website application and cannot find a loophole in the program.
The vulnerability scanning tool generates some special access requests, sent to the web website, and analyzes after obtaining the response information of the website. The tool will respond to some vulnerabilities in response to some vulnerabilities, and the security vulnerability is reported once the suspicious is found. At present, the new version of the vulnerability scanning tool can generally find more than 90% of the common security issues, but this tool has a lot of power to the website application.
Fourth, "The security problem of website applications is caused by programmers"
The programmer does result in some problems, but some questions will not be able to control.
For example, the source code of the application may be initially obtained from other parts, which is not controlled by the company's internal program developers. Alternatively, the company may ask some offshore developers to make some custom development, integrate with the original procedures, which may also have problems. Alternatively, some programmers will use some free code to make changes, which also hides security issues. A extreme example, there may be two programmers to jointly develop a program project, and the code they have developed is no problem, the security is very good, but the integration can have security vulnerabilities.
Realistically, software always has a vulnerability, which occurs every day. Safety vulnerabilities are just one of many vulnerabilities. Strengthening employees' training can indeed improving the quality of the code to a certain extent. However, it should be noted that anyone will make mistakes, and the vulnerability is unavoidable. Some vulnerabilities may have been discovered after many years.
V. "We will safely evaluate the web website every year, so very safe"
In general, the code of the website application is very fast. The annual safety assessment for the Web website is very necessary, but the situation at the time of assessment may be very different from the current situation. The website application will have a hidden danger of security issues as long as there is any changes.
