Security Concerns Regarding
Quality Web Design
SE571 Principles of Information Security and Privacy
Keller Graduate School of Management
Submitted: April 20, 2014
Table of Contents
Executive Summary 1
Company Overview 1
Security Vulnerabilities 3
Threats Through Using VPN Tunnels 3
SQL Injections 4
Recommended Solutions 5
Threats Through Using VPN Tunnels 6
SQL Injections 8
Impact on Business Processes 9
Quality Web Design (QWD) is a web development organization that creates client side web application that distributes web content to a user in order to improve an existing web site. They have a basic ...view middle of the document...
The other side of the equation is bringing awareness to the fact that terminals or phones and other mobile devises that are left logged in and unsupervised are the number one way that people gain access to resources. In a newsletter put out by Dell, “VPNs will likely continue to be the weakest link in an organization's security infrastructure for some time to come.” (Drew, 2004)
The second threat lays with the potential for SQL Injections into their web application. With any type of site that is hosted and connected to a database, there is a threat of dropping extra text into textboxes debilitating the entire database.
SQL Injections work by a user of the software putting in a terminating string inside a text box, then running their own query after that. This can be done to gain usernames and passwords as well as to drop tables all together.
As for recommended solutions for securing a VPN Tunnel, it is to utilize only company granted equipment to access the VPN. The current model has the employees being able to log in from their own workstations and phones leaving them vulnerable. By limiting the type of machine as well as the software on the machine itself, we can eliminate the possibility of an attack from a virus or malware.
The second solution is to add in the policy the limitation where users are not allowed to access the network from public Wi-Fi access points. This will eliminate some of the risk of leaving the connection open as well as other people browsing into company resources.
When it comes to blocking against SQL injections, we are going to have to add two parameters into the software to prevent this. The first involves adding some check parameters in the code before a query is run. This is done at the variable level to check for key signatures of SQL.
As for the Impact of these changes on to the business model, the impact would be minimal. We could see blow back from users that want to use their own PC’s but as with any change, it would just take time to get used to it. The software changes that need to be made only have to be done once and then the software is secured.
In regards to actual Monetary budget considerations, the changes made require no extra money. The software should be done by the developers already being paid and the machine changes could be done as needed throughout machine upgrades.
Through securing their software and others accessing their network, QWD stands the chance of bettering their foot hold in the software world. SQL Injections are easy to prevent with minor code tweaks, and VPN breaches are controlled through disallowing unauthorized machines. These simple changes can be made quickly and inexpensively.
Solutions – SQL Injections
In this section I will explore the solutions involved with preventing a SQL Injection attack. We need to identify exactly what someone would look for before doing such an attack before we can prevent inevitable attack.