Speaking – Beyond The Norm: Building Secure Websites
Posted on May 22nd, 2009 in Blog, Events, Security
Last week, I was invited to speak at the Twin Cities Web Design and Standards group. The topic was how to build secure websites so I tailored the content for website designers and programmers who run up against objections from their clients when the topic of security is brought up.
Norm Coleman’s website problems started long before I found his unprotected database. The programmer who designed the site, did something that made my stomach turn; he stored the full credit card numbers with the expiration date and 3 digit code the back of the card in the database. The programmer had created a custom CMS (Content Management System) for the Norm Coleman Campaign. I suspect that at sometime during the planning phase or development, he was asked to store the credit card numbers for “convenience”. This was what did Norm in.
Often, people see website security as something that can be taken care of “later” after the shiny new site is launched. Things like PCI security compliance seem complicated and unnecessary. I’ve heard clients say, “I doubt anyone is going to try and hack our site or our network”. Visa and Mastercard require than any company doing credit card transactions agree to take certain steps to keep that data safe; that’s known as PCI (Payment Card Industry) or CISP (Cardholder Information Security Program)
I spent time talking about common website attacks hackers used and how to educate your clients. One of the hardest things in the technology world is getting “buy in” from the people who will actually use the stuff! Maybe it’s human nature to resist change.
Below you will find the list of the 12 things businesses are expected to do if they accept credit cards. From an IT person’s perspective, they seem very ordinary and essential…things you would just do because you are in charge of a network. I see that there often a disconnect between a company’s technical staff and the website development/programmer folks.
| PCI Data Security Standards | |
|---|---|
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security |
Photo Credit: Locks by Leonid Mamchenkov
No Comments to "Speaking – Beyond The Norm: Building Secure Websites"
No comments yet.
RSS feed for comments on this post. TrackBack URL