Well, is it? It seems like a simple question. But as I said in a presentation about web security last week, when it comes to this question, far too many IT professionals are reduced to shrugging their shoulders, turning to their clients or bosses and nodding their heads. “Sure, it’s safe.

“We’ve got a firewall. We’ve got virus scanners. Our spyware zaps anything that looks remotely suspicious. Oh, yeah, it’s safe. You wouldn’t believe how safe it is…”

If that’s true, then how come we see headlines like "Major Security Sites Hit By Cross-Site Scripting Bugs" (Computerworld)? Or “ Hackers Target the Financial Gazette Website” (AllAfrica.com)? How about “Hacker Tries to Set Off Epileptic Seizures in Web Users” (Citynews.ca)?

We see stories like this virtually every day. So is it really safe?

As the video below demonstrates, hackers can be awfully persistent and try a range of techniques to get what they want. Only the toughest pro-active defence can keep them at bay. 

http://youtube.com/watch?v=YzfTzge8Tjc

When I speak to audiences like the one last week, I like to remind them that firewalls and other well-known security measures are useless against web-based attacks at the application level. But that's where 75 per cent of the attacks occur. Hackers love this target-rich environment of insecure websites that allow them to exploit the information of every user who visits the site.

Some web developers will throw up their hands and wonder aloud why it’s their problem if their clients get hacked through their websites. After all, so long as hackers aren’t actually preventing e-commerce transactions to the company or trashing the company website, why should they care?

Aside from wanting to comply with security compliance regulations, organizations have a real incentive to protect their website users from being hacked: earning the trust of their users.

To demonstrate, let's try to look at this issue from a simpler perspective. Imagine two grocery stores right next to each other. In one, they’ve taken measures to protect your safety and security so that the place doesn’t burn down while you’re shopping. The perishables are refrigerated at the right temperature, you won’t have to deal with shady criminal types at the cash register. You definitely won’t have to worry that when you check out, your credit card information will end up in the hands of thieves.

In the other grocery store, the store manager decided to cut corners and didn’t install any measures to protect his product or customers.

Where would you go to pick up your groceries? Now imagine that there are thirty grocery stores in the city, but again, only one grocery store is known for at least trying to look out for their customers’ safety. This corresponds roughly with the fact that around one in thirty websites is protected from cross-site scripting (XSS) hacks (Data Protection).

Worldwide, there may be around 70 million websites that aren't safe. These sites could have implemented the security solutions that would check for vulnerabilities on an ongoing basis and provide suggestions for a fix.

And if website developers implemented these security solutions during development before websites even went live as a standard procedure, every organization and user on the Internet would benefit. Organizations that use web security applications to protect the clients who use their websites are ultimately protecting themselves.

Getting back to the original question – “Is it safe? -- the clear answer is “Yes, it can be safe.”

Sticking one’s head in the sand and hoping that your website is the lucky one in 30 that is safe or that it won't get discovered by hackers is a gamble with the odds stacked against you.

So, what have you done to make your website safe?

Vaclav Vincalek