Abhay Bhargav (India) - A Direct Route to Improved Web Security in India

Abhay Bhargav, CTO of We45 Solutions, looks at the state of web security in India. He looks at how web designers can work towards more effective website security.

The eCommerce revolution has slowly started spreading its reach in India. The SMB sector in the country - largely consisting of brick and mortar business providing goods and services to their city, town, district or state - have now started thinking of more digital ways to spread their wings. They are looking to open up an online presence with a website. They are aggressively spending on SEO to ensure that their web presence is bolstered with a requisite number of hits and visits to their site, thereby increasing the potential for their business across the geographies, sometimes to global proportions.

An increasing trend in this segment is the number of small businesses that have begun to look at eCommerce as an increased business opportunity. This has sent the owner of an average small business flocking to an entity popularly referred to as a ‘web design company’. This entity is a company that specializes in setting up sites and small web applications, eCommerce applications for their clients and putting them well on their way to fortune on the information superhighway.

In fact, some of these companies have grown beyond the typical ‘Web Design’ tag and have aggressively positioned themselves as eCommerce solution providers for small businesses, having strategic alliances with logistics companies (for delivery of goods in the eCommerce site) and payment gateways (to facilitate the processing of card payments). This is all fine and dandy, but in the race for convenience and functionality, security is usually on the chopping block.

2011 has been a year for hacking. Apart from the large high profile hacks of the PlayStation Network, HBGary Federal and the several attacks perpetrated by Anonymous and LulzSec, there has been a quiet and unnoticed rise in the amount of attack activity experienced by smaller websites and eCommerce portals. Over 500 websites and web applications of private companies, universities, government companies, and not-for-profit companies in India have been consistently hacked and defaced by multiple attackers all over this year. These are only the reported incidents.

I have worked with web design companies and web developers that work on smaller eCommerce sites and web applications and found that their knowledge of web application security is very poor bordering on nil. They are not aware of secure coding practices, configuration practices and so on, even at a basic level to protect their applications against attacks and defacements.

This is a very dangerous trend because most of these websites are hosted in a virtual hosting environment, i.e. thousands of these websites are hosted in a particular server in their own ‘virtual partition’ on a single server. Therefore, compromising one web site or web application would result in the potential compromise of the entire server, housing thousands of websites. Recently a hosting company, InMotion Hosting was hacked and 700,000 of websites hosted on their sites were hacked by a Bangladeshi attacker called Tiger M@TE.

Web design companies with a vision towards the future should be proactive towards web security. They need to engage in the services of web security experts in order to secure their customer sites to ensure that they are not vulnerable to multiple web security attacks. A viable model for a web design company would be to price security with their web design contract to the customer, and ensure that security is integrated into their web development and deployment process.

Our company has worked with multiple web design companies developing small web applications and eCommerce sites to perform rudimentary web security tests and checks before sites are hosted online. This provides a great deal of assurance to the customers of the Web Design Company and goes a long way in promulgating better Web Security in India.

By Abhay Bhargav, CTO of information security company We45 Solutions India Pvt. Ltd. You can contact Abhay at abhay@we45.com.