Advice for securing your site and your reputation

Is your company's Web site hacked? Today, it can be hard to tell. Online crooks who successfully break into a site often sneak in small bits of code that leave no visible trace but can attack visitors who simply view the page.

In fact, according to a Websense Security Labs report, online thugs who want to spread their viruses, Trojans and other malware are more likely to hack an existing site than to put up their own poisoned page. Of the malicious sites the company found in late 2004, more than half were hacked sites.

To find out how a company can protect its site and its good name from being hijacked, I talked with Jeremiah Grossman of WhiteHat Security at last week's RSA security conference here in San Francisco. Grossman has made a big name for himself over the last couple of years by getting the word out about common Javascript vulnerabilities in Web sites.

His company helps secure sites by scanning for exploitable holes, but the custom service for his mostly enterprise-level customers doesn't come cheap. So I asked him for tips and suggestions that can help protect all sites, big and small.  Here's what he said.

First, know where to look. Grossman says most exploitable vulnerabilities lie in the Web application layer, where custom code handles the communication between the Web server software and the database back-end. This makes sense, because a piece of Web software written by your own software developers isn't going to undergo the same security testing as say, the Apache Web server or an Oracle database (though said apps are subject to plenty of vulnerabilities themselves).

So Grossman says to make sure your developers are using current development tools, such as Ruby on Rails, and not old, outdated tools such as Classic ASP that can introduce holes.

Next, he suggests that you look into using a hosting provider instead of maintaining your own network and Web servers. Again, such companies don't provide guaranteed security, but they're more likely to keep systems up-to-date with security patches than a single, often-overworked systems administrator at a small company. I've worked as a sysadmin, and I know first hand how applying patches can often fall to the bottom of the to-do list when there are fires to fight.

If you only have a simple site with information on your company or your own professional services, you can find a number of free or inexpensive options for building and hosting your Web site, including a new beta offering from Grossman and cohorts at Roxer.com.

Finally, if you do host your own site (or want to double-check the security at your hosting provider), you should at a minimum use free tools or inexpensive services to check for known and commonly targeted holes in your network and servers. Grossman says the free Nessus security scanner I used to use years ago is still a good downloadable tool, and that Qualys (at qualys.com) offers an inexpensive vulnerability scanning service as well. Neither will find flaws in your own custom Web apps, but will help identify red flags like unpatched Web servers.

PC World is an InfoWorld affiliate.