How do I save my website from getting hacked?

blog + Website security Z. Oualid today

share close

Losing your website even for an hour is in many cases a disaster for companies, and I worked with many clients that were in such a situation, and trust me you don’t want to be there. Therefore, the main question here is how do I save my website from getting hacked?

Saving your website from getting hacked means, securing it from known and unknown attacks. Therefore, here is a list of what needs to be done to save your website from getting hacked:

  1. Making a Static code analysis
  2. Making a periodic dynamic code analysis
  3. Performing a periodic penetration test
  4. Keeping your server updated
  5. Installing a web application firewall
  6. Installing an antivirus
  7. Implementing a CDN
  8. Actively monitoring website security

In this blog post I am going to explain in detail why you should perform each action and how will giving some tools to perform those actions. Therefore, if you are interested just keep reading.

Making a Static code analysis

The first step in the process of securing a website starts at the development phase. A static code analysis needs to be performed at the moment the code is being developed. This step is very important to eliminate a large number of basic but dangerous vulnerabilities also known as pattern-based vulnerabilities.

This task can be performed by both a penetration test expert with a development background or using an automated tool. Both techniques have pros and cons and I personally recommend using them both.

For example, a penetration tester will be able to find logic business vulnerabilities and also pattern-based vulnerabilities, however, due to his code coverage he might miss a lot. While using an automated code reviewer will have a large code coverage and will detect a lot of basic vulnerabilities, but he will not be able to discover business logic vulnerabilities.

To be honest the most powerful tools in the market that perform this analysis are very expensive and only big companies are able to use them. However, some other tools can perform these tests with less effectiveness with a lot less money and will reduce dramatically the number of vulnerabilities in your source code.

Here is a list of the top Static analysis tools in the market:

Making a periodic dynamic application testing

Making a static code analysis is not enough, a lot of vulnerabilities could only be discovered when the application is up and running. For example, vulnerabilities related to the web configuration or the sessions management vulnerabilities type and more.

Therefore, performing a dynamic application security test is necessary to eliminate this type of vulnerabilities. This task is performed just after the application source code is fully built and the application is running in the test environment.

It is highly recommended to not perform this task in a production environment as this task is executed using an automated tool. Automated tools that perform dynamic security testing use what we call spiders to detect all applications inputs to inject them with pseudo-random data and send them back to the app. This technique could perform some critical actions on the app like creating weekly admin users or making transactions … etc.

Therefore, performing this task should be done in a test environment with no real data to avoid any alteration and to avoid disturbing the client.

The same list of tools will be presented down here as most of the previously listed tools perform both static and dynamic security tests so buying one of them gives you access to both testing techniques.

Performing a periodic penetration test

Static and dynamic security analysis are very important tasks, especially at the development phase. However, both techniques are still incapable of detecting some types of vulnerabilities like business logic ones. Therefore, performing a penetration test at least every 6 months will help you optimize the security of your website.

Penetration tests should always at least cover the top 10 OWASP vulnerabilities and should be performed by a certified penetration tester expert. At the end of this task, the penetration tester should give you a detailed report with all the needed elements to reproduce and fix the discovered vulnerabilities.

It is also necessary to perform another check once your team confirms that you have fixed all the vulnerabilities. This check will not cost you too much and here is Getsecureworld we offer them for free if the fixing period didn’t exceed 1 month.

Keeping your server updated

One of the reasons for the websites to be hacked is leaving the hosting server outdated. This situation always happens when the website is hosted in a VPS or a dedicated server where the server security is managed by the client and not the service provider.

Unfortunately, most malware uses these known vulnerabilities and exploits them to get into servers and encrypt their data. Therefore, performing regular updates to the server component is necessary to avoid any malware infection or getting hacked.

Obviously, performing the updates does not need any tool. However, if you want to keep your team knowledge database updated with the last discovered vulnerabilities you should think about buying a data feed.

Installing a web application firewall

In some cases, fixing a vulnerability is not usually easy to perform as the cost of fixing some of these vulnerabilities could exceed the allocated budget. Therefore, to reduce the risk of exploiting this vulnerability by a black hat hacker, a web application firewall (WAF) need to be implemented to detect and stop these attacks.

You should be very careful while configuring your WAF as a wrong configuration could lead to a useless system that does not block attacks.

However, having a WAF in place does not mean that you have protected your website as even those firewalls could be bypassed, and each time a new technique to bypass them is discovered. Therefore, fixing the vulnerabilities is still the best solution to correctly fixing your vulnerabilities.

Here is a list of the best WAF solutions in the market:

Installing an antivirus

To be honest, installing an antivirus is not always needed but doing it will add a very good layer of security to your website. Most of the time, this is only recommended when the website has the functionality to upload files to the server.

However, here is a list of the best Antivirus software in the market:

Implementing a CDN

One of the awesome security components you can add to your website is a CDN. A Content delivery network is not only necessary to accelerate your website loading but it is also needed to protect it from DDOS attacks.

Distributing the content of your website on multiple servers around the world will hide its root IP address and when a DDOS attack will happen only one of the servers will be impacted. This technique will drastically reduce the downtime risk if any DDOS attack happens.

Here is a list of some popular CDNs in the market:

Actively monitoring website security

One of the known cybersecurity experts once said, there is to type of companies, those who get hacked, and those who don’t yet know they get hacked. In the last years, the cybersecurity vision has totally changed and it goes from a strategy of preventing hacks to detect and respond to hacks.

All the discussed techniques in the previous parts of this blog post are necessary and will raise your website security level. However, this isn’t enough. For bigger and valuable websites I highly recommend putting in place a SOC or using an MSSP service.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post
service room with wires in connectors



blog Z. Oualid

What are the tools used in SOC?

Security operation centers are becoming more and more important in the life of a company. As security experts said once, there are two types of companies, those who have been ...

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *