In the world of information security, small businesses and the security needs of small businesses are often overlooked, particularly in the realm of application security. When looking at the investment required to build a robust application security program, it really doesn’t make sense financially. For example, an “enterprise” scanning tool, combined with the required hosting infrastructure, salary for a security specialist, and for the sake of argument, tack on static analysis, the total cost will easily exceed $120,000/year which is decidedly cost prohibitive for a lot of smaller companies. This presents a significant problem due to the fact that as an attacker, well, hacking the little guys is easy. Simply put, when it comes to handling attacks and incidents, small companies are at a significant disadvantage as they frequently lack a dedicated security team, let alone one security specialist. So what’s the best way to maintain a secure infrastructure without breaking the bank?
Minimize Your Attack Surface
As companies grow, scaling up becomes a big challenge from a lot of different angles. With regard to technology, scaling can loosely be thought of enhancing your infrastructure and technologies to provide a wider service offering that is efficient and reliable. Based on this definition, scaling technology and services means adding more “stuff” to the mix. So what does this mean for you? Security scales inversely, which is to say that as your infrastructure grows, your attack surface increases, which presents more security risks. That is how insecurity scales.
So, as your capabilities expand, look at the technologies that power your business and make every effort to ensure that when it comes to exposing assets, applications, and functionality, the only things exposed are those which are required to deliver your service. Always ask yourself, does this need to be online? What happens if it gets hacked? How can we keep it from getting hacked?
Understand the Power of Patching
We’re all familiar with the expression, “the best offense is a strong defense,” and while that could be debated, assume it’s true if you’re a small business. As a small business, you lack the ability to defend yourself in comparison to larger companies (and even the big guys frequently fail at security), however, big companies have slow wheels and a monstrous attack surface, which means you can use your small size to your advantage to patch frequently and quickly. With a smaller infrastructure, changes can be made and patches can be applied much more rapidly, but one problem can be keeping track of relevant security issues. To address this issue, I strongly recommend creating a security@ e-mail address, identify the components your platform relies on, such as Apache, MySQL, PHP, Drupal, Oracle, etc., and subscribe this e-mail address to the security and update feeds for the appropriate software. Once security advisories and updates are available, evaluate their relevance to your system(s) and patch immediately.
Take Advantage of Free Tools
Security tools are very special purpose, but that shouldn’t prevent your team from trying to use them to some degree. Two excellent and free tools for web application scanning at Arachni and W3AF. The tools themselves provide capabilities that are targeted for application specialists, however the scanning functionality can be tremendously valuable when helping your team scan a site or application for the same low-hanging fruit that attackers and bots often scan for, such as SQL injection and Cross-Site Scripting. Even if you do not have a security expert on hand, I strongly recommend downloading and installing either W3AF or Arachni, taking an hour to get familiar with the tool, and getting in the habit of scanning your application between releases in an effort to ensure that easily identified vulnerabilities do not go unnoticed.
Have a Plan
The unfortunate truth is that one day, hopefully very far down the road, you will have a security incident on your hands. The severity of the breach can vary depending on the attacker’s motivations, but things like data loss, destruction, and corruption come to mind. For this reason, it’s imperative that you have secure off-site backups. In addition to having secure off-site backups, take the time to verify the integrity of the data routinely so that if and when it’s time to restore from backup, the data is actually usable. On an additional note, when I say “secure off-side,” what I mean is make sure that access to those backups is one way, i.e. nobody can log in to your web server(s), read the SSH key/password from a backup script, and then log in to the backup server and wreck your data.
Lastly, and if you can afford it, I strongly recommend having a professional security assessment performed at least once a year, if not quarterly. Even if you are performing your own assessment and QA work, it never hurts to have an unbiased and different set of eyes to look at the security posture of your organization and your applications. Plus, if you’re a small company or just getting started, it would likely be a pretty inexpensive way to get some valuable piece of mind.