Why Do I Need Web Security?

As more and more companies go online so too do nefarious criminals looking to take advantage of them. In the world of the web security the key is in making sure that your site is secure and private user information is kept secret and safe.

All web apps have the following general layout: a client-facing application that runs in a web browser and server-side components with which this application communicates. Web applications may allow communication between clients using peer-to-peer technology.

Under normal circumstances all clients will access the web app via a browser and will use its features as expected. However, not all clients are good; bad actors will try to exploit weaknesses in each component of the application in order to do something unexpected.

Once a bad actor obtains a foothold into a system there is often very little that they cannot then do. Even very small security holes can often be leveraged into a slightly larger hole, then this process can be continued until the entire system is compromised. What the bad actor then does is up to them, but this could involve destruction of data, deploying ransomware, using the system’s servers for the bad actor’s own gain or stealing confidential user information.

In the early days of the Web, web sites were very simple. Since then though, the web has grown massively in both functionality and complexity. While this growth has given us the modern web apps that we know and love today, it also comes with an ever increasing attack surface. Web security is therefore vital to ensure that a web application functions correctly and cannot be attacked by bad actors.

How Can We Help?

Website security is integral to any site now, especially when it comes to complying with data rules and regulations. Keeping your users’ data safe and secure along with your site is vital to maintaining trust with your users.

We will need to dive into your website front-end and back. What we do here is to look for any vulnerabilities and weaknesses that could be taken advantage of to gain access to your website or worse.

Once we have found a weakness we will need to test it; using a controlled environment we will attack the website and attempt to exploit the vulnerability. If we can do it then so can criminals.

Once a vulnerability is found and tested we will start work on finding ways to fix the problem. Using the information we gained from the attack stage we should be able to resolve the issue and patch up the vulnerability.

At this point all vulnerabilities should have been found and resolved, so we will write up a thorough report on every flaw and fixes that we used in an easy to understand way. This report will cover all information about work done and vulnerabilities fixed.

Our Lead Programmer Simon Pugnet developed a tool to assist him as he scoured websites for vulnerabilities. This tool will investigate a given base URL and flag every potentially dangerous item. It will also log information as to what the danger may be.

ZAP is a widely used open source web app scanner. It is a trusted and well documented tool for scanning, accessing and testing a system for vulnerabilities.

Generic security scanning software can only go so far, to investigate potential avenues of attack often requires building custom tools. We use Python extensively for this as well as other common Open Source projects like cURL within these tools.

The Tools We Use

The most important tool in our arsenal is the experience we have building and maintaining web applications. There’s no better way of identifying possible attack vectors than by having extremely detailed knowledge of the inner workings of a system.

There are also general security issues that are so common that software exists that can scan for them.

Why Square Flame?

Since our Company began we have heavily worked in web development, naturally this means we have had to learn a variety of skills to be able to handle and process web dev. As the years went by and web tech was thrust into the spotlight an arms battle was begun. We keep our skills sharpened every year making sure that any potential security threats are neutralized.

Value For Money

Our team consists exclusively of expert developers and marketers, so you don’t pay for any unnecessary overheads.

Straight Talking

We speak clearly and honestly with no technical jargon. You’ll know exactly what we’re doing and what the end result is.

Personable Team

We take a genuine interest in both our clients and their businesses, and are proud to call many of them our friends.

Exceptional Quality

We take pride in our work and ensure that every product and service is always delivered to an exceptional standard.

Tell Us About Your Project

We can start by giving your web application a thorough audit, or if you already have a list of known vulnerabilities we can work with you to resolve them.

Previous Client Projects

What our Clients Say

The guys at Square Flame are everything that you could want from a digital agency. They have helped me out of a tight spot on many occasions. Friendly, professional and ridiculously competent! Keep up the good work guys!

Martin Hyland, Immerse Medical

FAQ

Firstly, we will also ask for permission before conducting an audit. Auditing will, to an administrator, look identical to an actual attack, so the last thing we want is to trigger alarm bells unnecessarily!

There are three types of testing that can be done: –

  • Black-box testing: this type of testing is restricted to the actual functionality provided by the service. The testing will assume no prior knowledge of the inner working of the system and will most closely resemble the type of testing that would be done by a real attacker.
  • White-box testing: this is the opposite of white-box testing where access to the system and source code would be provided and testing would be done on that. The advantage is that vulnerabilities in the system’s code and structure can be more easily identified and may have been missed during a black-box test.
  • Grey-box testing: this is a combination of the above two and is the approach we recommend. When performing a grey-box test we usually split the testing into two phases: the first being a black-box test as if we were an attacker and the second being an audit of the system source code and structure.

Once the initial audit has been completed we will provide a full PDF report. This report will contain: –

  • Initial reconnaissance information;
  • A list of vulnerabilities that were found, scored with severity;
  • For each vulnerability, a recommendation as to how to fix it; and
  • A conclusion summarising the potential damage that could be caused from a successful attack.

Each vulnerability, where appropriate, will also include steps to reproduce it.

The next recommended step is for us to fix all identified vulnerabilities, ordered by severity. We can either do this ourselves if given access to the system and source code, or we can work with your existing developers. Of course the security audit will include enough information to allow any developers to fix the issues, so there’s no need to use our follow-up services if you don’t want to!

Once the vulnerabilities have been addressed then we recommend a follow-up audit. This will firstly ensure that the existing vulnerabilities have been fixed and will continue testing for any new vulnerabilities that may have been introduced.

In order to ensure your service is as secure as possible we also recommend additional audits, especially if extra development has taken place.

Latest Web Security Insights

<p>Get In Touch</p>

<p>Thank you for your interest in our business. If you have any questions about our services, a project you’d like us to help with, or if you just want to say hello, please don’t hesitate to get in touch. We look forward to hearing from you!</p>

Call Us

<p>01202 978858</p>

Email Us

<p>hello@squareflame.co.uk</p>