Secure Web Designs: Finding a Compromise for the Good of the User
Solid web design and security go hand-in-hand. Putting together a flashy looking website that has all the latest features and cross-platform, cross-browser compatibility is great. But if it’s not secure from external attacks then it’s useless. The aim of any website is to attract visitors and offer them some sort of value. However, if a site proves itself to be unfit for purpose and a threat to a user’s personal information, it won’t attract visitors or make any money for its owner. Indeed, the Yahoo! security breach may have put the company’s $4.83 billion buyout by Verizon in jeopardy.
Now, as important as the relationship between web development and security is, it’s not always easy to coordinate the two. On one side of the development equation, designers want the slickest looking site possible with the minimal amount of fuss. On the other, cyber security practitioners want to make sure that nobody can break in.
Trying to Satisfy Polar Opposites
Ensuring every security provision is in place and every piece of code is clean and ready to be reviewed can add weight to a site. Any site that’s bloated by additional features is slower and less ergonomic which is why designers will trim everything as much as possible.
On the other side of the coin, security experts want to ensure every entry point, window and crack is sealed tight and impervious to the malicious elements of the internet. In practice, this often results in a site or application being slightly less streamlined than some would like. But the end goal for any security expert is protecting the user.
These conflicting goals often result in crossed words and crossed wires, but it’s important that everyone is one the same page throughout the design process. One way to ensure this happens is to outline the security risks before the designers start. According to a 2015 survey of 600 custom-built sites, many developers are still failing to eliminate the most commonly exploited vulnerabilities in their code.
Careless Code Can Cost (Virtual) Lives
Source code security plugin (CC BY-SA 2.0) by christiaan_008Leaving glaring holes in the foundation raises a number of issues. Indeed, web application security, as defined by Incapsula is the process of protecting a website from “security threat that exploits vulnerabilities in an application’s code.” Common threats such as SQL injections, cross-site scripting, and remote file inclusion can all become a problem if a developer doesn’t take the appropriate web application security measures.
By setting up a dialogue between designers and security experts in the first instance, website owners can work to ensure the code is without fault. However, what if you’re already passed that stage and have found your site is particularly susceptible to SQL injections. As highlighted by the Ponemon Institute, SQL injections were the most common security threat in 2015 thanks to 4 out of 5 application portfolios being vulnerable.
A Way to Stay Secure and Sexy
In situations where the code can’t be easily changed, Web Application Firewalls (WAFs) are advisable. Capable of filtering traffic coming into a web application, WAFs are a viable solution for many website owners because, according to Incapsula, deploying them “doesn’t require making any changes to an application.” By sitting at the edge of a network, a WAF can act as a gateway and filter out (i.e. block) and threats before they get a chance to enter the application and exploit the vulnerable code.
Utilizing this solution is certainly a way to find a compromise between designers and security advisors. Although the best solution would be to ensure a secure design in the first place, retrofitting a WAF would allow designers to make their site look great. Simultaneously, the security team would be happy because any malicious traffic would be stopped on site.
Designers and security experts are always going to clash when it comes to the construction of a site. Fortunately, even if you can’t get them agree, there is a way to ensure a site is protected from security threats out there today.