How do I save my website from getting hacked?

Losing your website even for an hour is in many cases a disaster for companies, and I worked with many clients that were in such a situation, and trust me you don’t want to be there. Therefore, the main question here is how do I save my website from getting hacked?

Saving your website from getting hacked means, securing it from known and unknown attacks. Therefore, here is a list of what needs to be done to save your website from getting hacked:

1. Making a Static code analysis
2. Making a periodic dynamic code analysis
3. Performing a periodic penetration test
4. Keeping your server updated
5. Installing a web application firewall
6. Installing an antivirus
7. Implementing a CDN
8. Actively monitoring website security

In this blog post I am going to explain in detail why you should perform each action and how will giving some tools to perform those actions. Therefore, if you are interested just keep reading.

Making a Static code analysis

The first step in the process of securing a website starts at the development phase. A static code analysis needs to be performed at the moment the code is being developed. This step is very important to eliminate a large number of basic but dangerous vulnerabilities also known as pattern-based vulnerabilities.

This task can be performed by both a penetration test expert with a development background or using an automated tool. Both techniques have pros and cons and I personally recommend using them both.

For example, a penetration tester will be able to find logic business vulnerabilities and also pattern-based vulnerabilities, however, due to his code coverage he might miss a lot. While using an automated code reviewer will have a large code coverage and will detect a lot of basic vulnerabilities, but he will not be able to discover business logic vulnerabilities.

To be honest the most powerful tools in the market that perform this analysis are very expensive and only big companies are able to use them. However, some other tools can perform these tests with less effectiveness with a lot less money and will reduce dramatically the number of vulnerabilities in your source code.

Here is a list of the top Static analysis tools in the market:

• Synopsys
• Veracode
• Checkmarks

Making a periodic dynamic application testing

Making a static code analysis is not enough, a lot of vulnerabilities could only be discovered when the application is up and running. For example, vulnerabilities related to the web configuration or the sessions management vulnerabilities type and more.

Therefore, performing a dynamic application security test is necessary to eliminate this type of vulnerabilities. This task is performed just after the application source code is fully built and the application is running in the test environment.

It is highly recommended to not perform this task in a production environment as this task is executed using an automated tool. Automated tools that perform dynamic security testing use what we call spiders to detect all applications inputs to inject them with pseudo-random data and send them back to the app. This technique could perform some critical actions on the app like creating weekly admin users or making transactions … etc.

Therefore, performing this task should be done in a test environment with no real data to avoid any alteration and to avoid disturbing the client.

The same list of tools will be presented down here as most of the previously listed tools perform both static and dynamic security tests so buying one of them gives you access to both testing techniques.

• Synopsys
• Veracode
• Checkmarks

Performing a periodic penetration test

Static and dynamic security analysis are very important tasks, especially at the development phase. However, both techniques are still incapable of detecting some types of vulnerabilities like business logic ones. Therefore, performing a penetration test at least every 6 months will help you optimize the security of your website.

Penetration tests should always at least cover the top 10 OWASP vulnerabilities and should be performed by a certified penetration tester expert. At the end of this task, the penetration tester should give you a detailed report with all the needed elements to reproduce and fix the discovered vulnerabilities.

It is also necessary to perform another check once your team confirms that you have fixed all the vulnerabilities. This check will not cost you too much and here is Getsecureworld we offer them for free if the fixing period didn’t exceed 1 month.

Keeping your server updated

One of the reasons for the websites to be hacked is leaving the hosting server outdated. This situation always happens when the website is hosted in a VPS or a dedicated server where the server security is managed by the client and not the service provider.

Unfortunately, most malware uses these known vulnerabilities and exploits them to get into servers and encrypt their data. Therefore, performing regular updates to the server component is necessary to avoid any malware infection or getting hacked.

Obviously, performing the updates does not need any tool. However, if you want to keep your team knowledge database updated with the last discovered vulnerabilities you should think about buying a data feed.

Installing a web application firewall

In some cases, fixing a vulnerability is not usually easy to perform as the cost of fixing some of these vulnerabilities could exceed the allocated budget. Therefore, to reduce the risk of exploiting this vulnerability by a black hat hacker, a web application firewall (WAF) need to be implemented to detect and stop these attacks.

You should be very careful while configuring your WAF as a wrong configuration could lead to a useless system that does not block attacks.

However, having a WAF in place does not mean that you have protected your website as even those firewalls could be bypassed, and each time a new technique to bypass them is discovered. Therefore, fixing the vulnerabilities is still the best solution to correctly fixing your vulnerabilities.

Here is a list of the best WAF solutions in the market:

• Akamai
• Imperva
• Cloudflare

Installing an antivirus

To be honest, installing an antivirus is not always needed but doing it will add a very good layer of security to your website. Most of the time, this is only recommended when the website has the functionality to upload files to the server.

However, here is a list of the best Antivirus software in the market:

• Crowdstrike
• Microsoft Windows Defender
• Trend Micro

Implementing a CDN

One of the awesome security components you can add to your website is a CDN. A Content delivery network is not only necessary to accelerate your website loading but it is also needed to protect it from DDOS attacks.

Distributing the content of your website on multiple servers around the world will hide its root IP address and when a DDOS attack will happen only one of the servers will be impacted. This technique will drastically reduce the downtime risk if any DDOS attack happens.

Here is a list of some popular CDNs in the market:

• Cloudflare CDN
• Imperva CDN
• Microsoft Azure CDN

Actively monitoring website security

One of the known cybersecurity experts once said, there is to type of companies, those who get hacked, and those who don’t yet know they get hacked. In the last years, the cybersecurity vision has totally changed and it goes from a strategy of preventing hacks to detect and respond to hacks.

All the discussed techniques in the previous parts of this blog post are necessary and will raise your website security level. However, this isn’t enough. For bigger and valuable websites I highly recommend putting in place a SOC or using an MSSP service.