Difference between revisions of "Web Site Security"

Revision as of 17:57, 17 July 2020

Full Title and Meme

This page is about the means to make sure that your web site is as secure as it can be.

For information about the user perspective see the wiki page User Trust of a Web Site.

Context

• There are a number of web platforms, more it seems every day.
• But there is also a large commonality, like the security protocol HTTPS which is well over 90% penetration of all sites, mostly due to Google's insistence.
• Nearly all of the web platforms run on Windows or Linux, typically hosted by one of the major providers, like Amazon or Microsoft, which have global reach.
• Cloud Flare and others provide security support at the edge, like protection from Denial of Service (DoS) attacks.
• Akamai and many other provider content delivery platforms.
• This page will focus on the parts that are typically under control of the web app architectural and development teams.

https://www.google.com/search?q=.net+filesystemaccessrule&rlz=1C5CHFA_enUS882US882&oq=net+FileSystemAccess&aqs=chrome.1.69i57j0l7.26191j1j7

https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

Problems

• After 20 years of web based attacks on users, security protection is still dependent on the education of users, who are known to be gullible. This is a 2018-12 report from the NSS^[1]

Education is a key component of protection against SEM [socially engineered malware] and phishing attacks. Users who are able to identify socially engineered attacks rely less on technology for protection against such attacks. NSS Labs recommends supplementing browser protection with user education to protect against attacks that bypass browser protections.

• Secure Web Sites using SSL (HTTPS:// scheme) still allow insecure content to be loaded. On 2017-10-27 it was estimated that 2.4% of sites downloaded secure content. On 2019-05-08 Chrome browser (currently version 74) was just announcing (on blink-dev) that they finally intend "to block insecurely-delivered downloads initiated from secure contexts if the download is for a high-risk file type", in spite of its appearance as section 4.6.5 of the current html spec. Which asserts: Warning! This algorithm is intended to mitigate security dangers involved in downloading files from untrusted sites, and user agents are strongly urged to follow it. It is unclear which version of Chrome might have this feature.

Solutions

These are proposed on 2019-05-08 for a future release:

• The Web Site exposes its name in a manner that allows the user to make a meaningful trust decision. See the page on Trusted Identifier and Web Site Identity for details.
• Most browsers come with a feature that will evaluate any file downloaded to a computer based on a set of constantly updated filters installed in the cloud.

References

Organizational Support

1. The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
2. ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.
3. ↑ NSSlabs, NSS Labs Announces Results of 2018 Web Browser Security Test. (2018-12-05) https://globenewswire.com/news-release/2018/12/05/1662619/0/en/NSS-Labs-Announces-Results-of-2018-Web-Browser-Security-Test.html