For a long time the Web was composed of primarily static websites that were maintained by laborious manual methods. Websites comprised of volume web pages were painful to manage and updates were slow to be effected. Human error was more common back then, and the equipment used to create, transmit, store and display content was relatively poor compared to today even considering the time factor. The evolution of database technologies created many opportunities and from it came the science of Web and Database Programming. From this arose the demand for Network Security as related to data flow and storage.
Web and Database Programming is more than simple data storage and web retrieval. There is truly an art to how data is received and managed, beyond the simple scope of storage and retrieval. A web and database programmer is responsible for much more than luke warm data flows. In many cases, the web and database programmer is one of the most critical components of eCommerce web site development and the success of an eCommerce business on the Web.
The web and database programmer must understand more components of design than other web developers. As a PHP Programmer and Database Programmer, Network Security becomes a vital factor for securing data flow and securing the database that stores important information. Encrypting data flow using SSL (Secure Socket Layer) Certificates is a minor task and still does not create an entirely safe environment for web and database data flow. Packet inspection and the IDS (Intrusion Detection System) are important even when SSL is enabled. Web Databases can be vulnerable no matter where they reside and controlling access is key to data loss prevention. Routine web log inspection and system updates/upgrades must be treated as an important ongoing maintenance by the web and database programmer, or appropriate assignee.
SSL is simply a method of encrypting information to prevent prying eyes from seeing the data in transit between the user’s web browser and the web and database servers. It normally creates a connection between the user’s browser and the server managing the data encryption. This can sometimes create a false sense of security for the user. A Man In The Middle Attack consists of someone between the user’s browser and the web and database server, who can watch the data in transit. Using a variety of easily available programs, he can create a secure connection between his machine and the web and database servers, separately from a second secure connection between his machine and the user’s browser. Although the user effectively gains a secure connection between his browser and the web and database servers, the man in the middle can see all the data flowing without any encryption. This data flow can be stored for analysis, or can often be analyzed for set criteria on-the-fly. The user’s browser should throw up an alert indicating that the secure connection was not established by the same domain as the original request made by the browser. Unfortunately, most users are numb to alerts and assume it’s an alert telling them they are making a generic secure connection, and approve it.
IDS (Intrusion Detection System) can be located on the web and/or database servers as a software firewall system, or on another hardware component firewall between the web and/or database servers and the Internet. As an Intrusion “Detection” System, an IDS is designed to inspect data packets (the chunks of data flowing to and from the servers). IDS operate on predefined patterns of data, which they look for as the data flow by. If an IDS sees a pattern match in the data, it can be configured to respond in a number of ways. Generic responses are to either allow the data to pass or reject the connection. IDS responses are not always so black and white, and the Network Security Admin must maintain the IDS definitions and updates regularly, else the IDS will grow unhealthy and inefficient at protecting the machines behind it.
IDS that exist on the server itself are not as safe as separate hardware IDS separate from the servers and between the servers and the Internet. However, when SSL is employed and managed be the web and database servers behind the IDS, a “vulnerability” is created. Since the server handles the encryption and decryption of the data being exchanged, the IDS is rendered ineffective, since it cannot read the actual data, and is likely to allow all encrypted data to pass, since it doesn’t match illegal data patterns. Two simple solutions are available to resolve this IDS defunction issue. A server between the IDs and the Internet can be employed simply to encrypt and decrypt data, so the IDS always see decrypted data and can match patterns effectively. The IDS can reside on a server or hardware firewall that does both packet inspection and data encryption/decryption. Symantec IDS/SSL firewall devices are available from companies like Emagined Security.
Web and Database Programmers must have a solid understanding of Network Security to be effective PHP programmers or Database Programmers. If the PHP Programmers or Database Programmers don’t understand the way data flows and how encryption works, they can easily build vulnerabilities into their code. A novice web programmer lacks the understanding, perhaps the entire concept, of network security and assumes that encryption is a totally separate issue that “someone else is responsible for.” Web and database programmers must understand that the vast majority of network security problems arise from web driven content through port 80 (the doorway through which unencrypted web traffic typically flows) and port 445 (the typical port for encrypted traffic). Some of the best network security measures can be rendered useless when a poor web and database programmer creates security vulnerabilities in their code. It’s like having a ship that is designed to not sink, but the engineer has a gun and shoot holes in the hull while he’s sleeping.
Data loss prevention is mission critical for most eCommerce web sites and eCommerce businesses. You must secure your data flow from prying eyes with carefully applied encryption, prevent attacks upon your servers using IDS at strategic locations, employ measures to secure and protect your web and database servers, and make sure your web and database programmers have a solid understanding of how network security works. This is not a comprehensive list of measures and tactics to protect your eCommerce web site or Online business, as there is much more that must be considered, all of which the web and database programmer must understand thoroughly.
One of the most overlooked and seemingly less important measures of security is data backup. Routine scheduled data backups must be performed on every data repository. If your web and database servers backup every 12 hours, you will never lose more than 12 hours of data and can resurrect a corrupted or attacked system. A simple network security admin will not assume the role of data backups, nor will a simple web programmer. This task is often left quietly to the business owners or managers. In fact, the responsibility of secured data backup management should be in the job description of the web and database programmer, since he is the entity responsible for data flow. Back-end network administration plays an important role when remote data storage devices are used. Other factors of network security play a role when global connections are used to backup data to off site locations.
As important as data backup is the process of data resurrection. Performing the data backup is great since you have the data at hand should your web and database servers become compromised. However, the process of restoring that data onto the same server, or perhaps new replacement servers is quite important! Your web and database programmers must have protocols in place before a crisis to repair the web and database servers, replace the web and database servers, and restore both the web and database programming and the data that had been stored. Detailed plans are of Mice and Men, so make sure to prove the protocols by performing real tests to prove they work and how long they take.
When web and database programming provides security vulnerabilities, it’s often just a matter of time before they are discovered and exploited. A negligent web and database programmer will be unaware of the exploitation until the business crashes or some other event reaches him. In many cases, web and database programmers are treated by eCommerce business owners as a “quick fix” and then discarded. A web and database programmer should always be available to jump into security and exploit situations to make immediate repairs. Finding a new web and database programmer means providing time and expense for coming up to speed on the previous web and database programmer’s work before making repairs. Without sufficient up-to-speed time, the web and database programmer is more likely to break a remote component of code, despite fixing a local component. Simple web programmers are dangerous tools for eCommerce web development. It is their responsibility to thoroughly understand network security to protect your business.
Network Security is an ongoing pursuit since the malicious users in the world continue to develop new tools. What was once not a vulnerability, might become one with enough time. Operating system vulnerabilities (MS IIS) aside, and barring ignorance on the part of the web developer, web and database are responsible for securing your eCommerce web site, and continuing to protect, upgrade and fix it. Retain your web and database programmer for ongoing maintenance and upgrades. Don’t lose your web and database programmer’s contact information in case you need him to return to make repairs from attacks and to help prevent them.